EU regulators (the ESAs) have launched a public consultation on the first batch of policy products under the Digital Operational Resilience Act (DORA) which are designed to add in more detail to the obligations businesses face around information and communication technology (ICT) risk in financial services.
The technical standards aim to ensure a consistent and harmonized legal framework in the areas of ICT risk management, major ICT-related incident reporting and ICT third-party risk management. The consultation runs until September 11, 2023.
DORA, which entered into force on January 16, 2023 and will apply from January 17, 2025, will effectively organize and harmonize obligations on financial services firms arising from a number of existing regulatory standards and guidelines in relation to ICT risk and outsourcing. It will also introduce a new framework of direct regulation of major technology providers to financial entities.
DORA has mandated the ESAs (the EU’s three supervisory authorities in financial services – the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) – to jointly draft the standards.
“There is good reason to take steps as part of initial implementation activities to be become familiar with the provisions in draft in order to plan effectively for implementation within the timeframes required.”Luke Scanlon of Pinsent Masons
The first batch of technical standards have now been published and concern different aspects of the DORA regime. There are four in total:
- RTS on ICT risk management framework and RTS on simplified ICT risk management framework. The draft RTS on ICT risk management framework sets out requirements with respect to:
- ICT security policies, procedures, protocols and tools (including requirements on: governance, ICT risk management, ICT asset management, encryption and cryptography, ICT operations security, network security, ICT project and change management, physical security, ICT and information security awareness and training);
- human resources policy and access control;
- ICT-related incident detection and response;
- ICT business continuity management;
- report on the ICT risk management framework review; and
- RTS on criteria for the classification of ICT-related incidents. The draft ITS expands on the classification criteria outlined in DORA. Under DORA, financial firms are required to classify ICT-related incidents and determine their impact based on criteria outlined in the legislation, firms should consider:
- the number of clients affected by the incident;
- downtime of service arising from the incident;
- the geographic spread of the incident;
- whether there has been any loss of data;
- how critical the impacted services were;
- and the economic affect of the incident. The classification requirements are designed to assist firms in identifying incidents that need to be reported to regulators under DORA’s incident-reporting provisions.
- ITS to establish the templates for the register of information. The draft ITS establishes harmonized templates for the register of information to be maintained and updated by the financial entities. These templates are a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third party service providers. The ESAs are mandated to develop templates to support firms.
- RTS to specify the policy on ICT services performed by ICT third-party providers. The draft RTS provides detail on the policy financial entities are required to develop under DORA on their use of ICT services supporting critical or important functions provided by ICT third-party service providers. It set out the requirements for all phases that should be undertaken by financial entities regarding the life cycle of ICT third-party arrangements management.
Legal basis and next steps
The four draft standards are open to consultation until September 11, 2023. The supervisory authorities have until January 17, 2024 to submit finalized standards to the European Commission for adoption.
A second batch of technical standards, to be prepared by the ESAs, is expected to be published for consultation in November or December. The final version of those standards must be submitted to the European Commission by July 17, 2024.
Luke Scanlon of Pinsent Masons, who specialises in technology contracts in financial services, said: “Financial entities will now need to ensure that their efforts to implement DORA take into account the provisions of each technical standard. As the date on which DORA will apply in full force is likely to be very close to the dates on which the standards are finalized, there is good reason to take steps as part of initial implementation activities to be become familiar with the provisions in draft in order to plan effectively for implementation within the timeframes required.”
DORA is a new regulation that aims to strengthen ICT security of financial entities in the European Union, such as requirements around business continuity and disaster recovery, the reporting of major ICT-related incidents, and the management of third-party ICT risk. It sets out enhanced requirements around digital operational testing, including around penetration testing.
It was published in the Official Journal of the EU on December 27, 2022, will enter into force on January 16, 2023 and should be applied from January 17. It will apply to a range of financial entities, including credit institutions, investment firms, central securities depositories, central counter parties, trading venues, benchmark administrators, fund management companies, insurance and reinsurance undertakings, insurance intermediaries, payment institutions, electronic money institutions, crypto-asset service providers, issuers of asset-referenced tokens, and crowdfunding service providers.
There are limited exclusions for smaller firms, and DORA will also apply to third-party ICT service providers such as cloud platforms and data analytics providers.
In the UK
In the UK, the Financial Services and Markets Bill, currently before parliament, provides for the establishment of a new “critical third parties” (CTPs) regime in UK financial services, under which some service providers to financial institutions would be designated as subject to direct regulation. If implemented, these changes will result in CTPs – some of which may not regard themselves as part of the finance sector – being regulated directly by financial services supervisory authorities. This would represent a major shift in approach.