Opening panDORA’s box: ESAs finalise first batch of DORA Level 2

The European Supervisory Authorities have submitted to the European Commission the first batch of draft technical standards under DORA. The ESAs consulted on these texts last summer. The latest versions include important edits to those original drafts.

The changes and clarifications made by the ESAs are broadly helpful. However, the core requirements – and the fast-approaching implementation deadline – remain unchanged.

ICT risk management framework

DORA requires financial firms to adopt an ICT risk management framework. This framework must include many documents, including a digital operational resilience strategy and a crisis communication plan. Regulatory technical standards will further specify what this framework should look like.

The ESAs previously proposed an article in these RTS which would have required firms to take into account elements of increased complexity or risk when designing their ICT risk management framework. The revised provision in their submission to the Commission now allows firms to also consider elements of reduced complexity or risk and apply the rules more proportionately as a result.

A draft article that laid out which tasks should be assigned to the control function responsible for DORA compliance has been removed (although the ESAs may revisit this via guidelines in the future). Some other provisions have also been adjusted to allow firms a bit more flexibility for implementation.

Classifying ICT-related incidents

DORA requires firms to classify ICT incidents and determine their impact according to certain criteria. “Major” ICT incidents need to be reported to regulators. Regulatory technical standards will further specify the criteria for classifying incidents as major.

The ESAs previously proposed a complex approach for classifying major incidents. This would have involved firms trying to apply a series of primary and secondary criteria. This system has been removed in the final version of the RTS. In its place is a slightly more streamlined approach under which firms need to assess first whether critical services are affected and then consider whether other criteria are met, applying an adjusted set of materiality thresholds.

Register of information

DORA requires firms to maintain a register of information about their contractual arrangements for the use of third party ICT services. Among other things, this must note which services are used to support critical or important functions. Implementing technical standards will establish the templates to be used for this register.

The ESAs have clarified some rules relating to the register. For example, it has to include information on all subcontractors that effectively underpin ICT services supporting critical or important functions or material part thereof. The register needs to be reviewed on a “regular basis”. The list of ICT services has also been modified, for example to remove the catch-all “other ICT service”.

Policy on ICT services supporting critical or important functions

DORA requires firms to have a strategy on ICT third-party risk. This strategy must include a policy on the use of ICT services performed by third parties which support critical or important functions. Regulatory technical standards will further specify the content of the policy.

The ESAs have removed some points of detail from the RTS but overall the rules relating to this policy are largely unchanged following the consultation.

What happens next?

The Commission will formally adopt this first batch of RTS and ITS in the coming months. Meanwhile the ESAs are consulting on a second batch of policy documents under DORA. This second batch will be finalised in the summer, six months before DORA starts to apply on 17 January 2025.

Visit our operational resilience webpage to access our DORA resources, including a Level 2 measures tracker.