European Supervisory Authorities issue second batch of technical standards under DORA

On 18 July, the European Supervisory Authorities (ESAs) published the final versions of their second batch of their draft regulatory technical standards (RTS) and implementing technical standards (ITS) developed under the Digital Operational Resilience Act (DORA), as well as two sets of Guidelines.

Summary of draft regulatory technical standards and implementing technical standards

• Final draft RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats

DORA requires a financial entity to report major ICT-related incidents to the relevant competent authority. In addition, financial entities may, on a voluntary basis, notify significant cyber threats.

In summary these RTS cover:

1. the content of the reports to be submitted for major ICT-related incidents, as well as the standard forms and templates for the reports
2. the time limits for reporting these incidents to the competent authority, and
3. the form and content of the notification for significant cyber threats.

The RTS setting out the criteria for classifying major ICT-related incidents and significant cyber threats came into effect earlier this week.

• Final draft RTS on threat-led penetration testing (TLPT)

DORA sets out requirements for the security of network and information systems of financial entities and of the critical third parties providing ICT services to them. This includes an obligation on in-scope financial entities to conduct advanced testing by means of TLPT at least every 3 years.

In summary these RTS include:

1. the criteria used for identifying those financial entities required to perform TLPT
2. the requirements and standards governing the use of internal testers
3. the requirements in relation to the scope of TLPT, testing methodology and approach for each phase of the testing process, and
4. the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition of that testing.

• Final draft RTS on the harmonisation of conditions enabling the conduct of the oversight activities

Under DORA, each critical ICT third-party service provider (CTPP) will have a designated 'Lead Overseer', who will be one of the three European Supervisory Authorities. DORA grants powers to the Lead Overseer in exercising oversight of CTPPs.

In summary these RTS include:

1. the content and format of the information to be submitted by CTPPs that is necessary for the Lead Overseer to carry out its duties (including the template for providing information on subcontracting arrangements), and
2. the information to be provided by an ICT third-party service provider in the application for a voluntary request to be designated as critical.

• Final draft RTS specifying the criteria for determining the composition of the joint examination team

The Lead Overseer mentioned above will be assisted in its oversight activities by the 'joint examination team' or "JET". These RTS set out the criteria for determining the composition of the JET and specify its tasks and working arrangements. The JET will be comprised of staff members from the ESAs and competent authorities who have expertise in ICT matters and operational risks - these RTS are intended to ensure a balanced participation of staff members from those different organisations.

Summary of Guidelines

In addition to the above, the ESAs have issued two sets of Guidelines:

• Joint Guidelines on the estimation of aggregated costs and losses caused by major ICT-related incidents

If requested by a competent authority, a financial entity will have to report an estimation of aggregated annual costs and losses caused by major ICT-related incidents. These Guidelines propose how a financial entity should estimate the annual costs and losses, and which figures to use for the estimation. The ESAs have previously stated that they will apply the same approach as that adopted for assessing costs and losses under other DORA RTS.

• Joint Guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities

The ESAs and competent authorities have received new roles and responsibilities as part of DORA's pan-European oversight framework. These Guidelines are intended to ensure a consistent supervisory approach, including a coordinated approach to the oversight of CTPPs.

The Guidelines cover cooperation and information-sharing between the ESAs and competent authorities, including how they will allocate tasks between them and what information competent authorities will need in order to follow up on any recommendations addressed to CTPPs in their territory.

Next steps

The final draft RTS and ITS have been submitted to the European Commission for review and adoption, subject to any changes the Commission may choose to make. The Joint Guidelines have been adopted already by the Board of Supervisors of the three ESAs.

A notable omission are the regulatory technical standards (RTS) on subcontracting, which are due to be delivered today under DORA (Article 30.5). Those are the standards that specify what a financial entity must take account of when allowing the subcontracting of ICT services that support critical or important functions. The ESAs have stated that those RTS will be published 'in due course'.

For further information or if you have any questions, please get in touch with your DLA contact.