The EU’s Digital Operational Resilience Act starts to apply in January 2025. Before then the European Supervisory Authorities need to put the final touches to DORA’s “Level 2” standards. The ESAs consulted on the first batch of these technical standards earlier this year. The second – and final – batch is now open for consultation.
These technical standards and ESA guidelines are important because they amplify the requirements that firms and critical ICT third party service providers must contend with as they implement DORA. The first round of policy documents should be finalised in early 2024 but this latest batch is unlikely to be finalised before the summer, leaving only six months before the DORA deadline.
Draft RTS on subcontracting ICT services supporting critical or important functions
DORA requires financial entities to reconsider their contractual arrangements with ICT third party service providers and make sure that they include certain things, such as provisions on data protection and termination rights. Contractual arrangements on the use of ICT services that support critical or important functions are subject to tighter standards. For example, DORA requires these arrangements to include unrestricted rights of access for the financial entity and its regulator to enable them to monitor the ICT third party service provider’s performance.
DORA also requires the contractual arrangements to indicate whether subcontracting of an ICT service supporting a critical or important function is permitted in the first place and, if it is, what conditions apply to that subcontracting. The ESAs draft regulatory technical standards now lay out further elements for a financial entity to assess in relation to any such subcontracting.
The main point to note is that these technical standards will impact firms’ repapering exercises. Financial entities must make sure that relevant contractual arrangements specify, for example, the monitoring and reporting obligations of the ICT third party service provider and the audit rights to be granted by the subcontractor to the financial entity and its regulators. Other requirements include an obligation on the financial entity to monitor and document the entire ICT subcontracting chain and ensuring it is informed with sufficient notice about material changes to subcontracting arrangements.
Draft RTS/ITS on major incident reporting
DORA harmonises the regime for firms to report ICT-related incidents to regulators. This includes requiring financial entities to submit an initial notification, intermediate report and final report to their regulator after a major incident.
In draft regulatory technical standards the ESAs propose time limits for each of these reports.
- The initial notification must be sent four hours after the incident is classified as major but no later than 24 hours after the incident was detected
- The intermediate report is due within 72 hours of the classification of the incident as major, or when business is back to normal
- The final report is due within one month of classification, unless the major incident is ongoing
The ESAs suggest 101 data points for firms to collect in relation to major incidents. Some of these fields are mandatory, others conditional. They are set out in draft implementing technical standards which also prescribe templates for the initial notification and intermediate and final reports.
There are similar reporting requirements under Bank of England, FCA and PRA proposals for a critical third party regime in the UK. The UK regime, however, proposes a more outcomes-based approach which does not stipulate the timing or format of the incident reports.
Other standards under consultation
The ESAs have also included the following in their second batch of policy documents under DORA:
- Draft RTS specifying elements related to threat led penetration tests, which includes a proposed approach for identifying which financial entities will be required to perform TLPT under DORA such as global systemically important institutions (G-SIIs), larger payments firms and CSDs
- Draft RTS on the harmonisation of conditions enabling the conduct of the oversight activities, which is relevant to potential critical ICT third party service providers because it specifies a long list of additional information which service providers must provide to the ESAs on request
- Draft guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities, which explains how regulators will work together on designating and supervising critical ICT third party service providers
- Draft guidelines on estimation of aggregated annual costs and losses caused by major ICT-related incidents, which are relevant to several reporting requirements under DORA including the major incident reporting RTS noted above
The consultation on all these policy papers runs until 4 March 2024.