|

Add a bookmark to get started

26 de julio de 20247 minute read

DORA: First Delegated Regulations published in EU Official Journal

Last June 25, the first three delegated regulations under the Digital Operational Resilience Act (Regulation (EU) 2022/2554 – DORA) were published in the Official Journal of the European Union.

DORA, which applies from January 17, 2025, harmonizes the ICT governance and risk management rules for financial institutions. This is a very broad definition that includes not only banks but also insurance and reinsurance companies, payment and e-money institutions, investment firms, alternative fund managers and many other players in the financial system. Until now the rules had been fragmented in various bodies of regulations, adopted mainly at the level of industry authorities (EBA, ESMA and EIOPA – ESA).

DORA has mandated ESAs to develop Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), with the intention of specifying in detail the most critical aspects of the subject matter. These standards are then vetted and adopted by the European Commission through delegated acts.

The European Commission has now approved the three delegated regulations.

Let's examine the content of each Regulation and how financial entities can comply.

 

Delegated Regulation (EU) 2024/1772

The first Regulation establishes cyber incident classification criteria and materiality thresholds to determine which incidents and threats can qualify as serious.

Criteria for classifying cyber incidents consider the criticality of affected services, the profile of affected customers, counterparties, and transactions, data loss, reputational impact, geographic scope, and economic impact.

For each criterion, the Regulations specify a materiality threshold that, if reached, can lead to the incident being qualified as serious, according to the scheme summarized in the image below, provided by the Regulations.

Each threshold is based on different criteria like the number of customers, counterparties, and transactions affected, the duration of the incident and recovery time, the number of jurisdictions involved, the quality of the lost data, and the cost and magnitude of the loss.

Cyber threats are classified according to whether the threat is likely to materialize, whether it affects the important functions of the financial institution, and whether it meets the conditions that would classify it as a major incident if it occurred.

If the incident is classifiable as serious, the financial institution has to notify the relevant industry authority. For this reason, it is essential that the classification criteria are already properly internalized and shared with each ICT service provider so appropriate alert and notification systems are in place.

 

Delegated Regulation (EU) 2024/1773

These Regulations outline the principles that financial institutions have to include in their policies regarding contracts for ICT services to support essential or important functions. The Regulations include these principles:

  • The management body has the ultimate responsibility in addressing cyber risks, so the body has to be constantly involved in monitoring and managing cyber risks. This includes reviewing, at least once a year, the policy for using ICT services provided by third-party vendors.
  • The policy should outline rules, responsibilities and processes of the contract lifecycle to support critical or important functions. These functions include governance mechanisms for approving, managing and monitoring contracts; planning of contractual arrangements, including ex-ante risk assessment, due-diligence on suppliers and the process for approving new or amended arrangements; involvement of internal control functions in the various management phases; how contractual arrangements are monitored and managed; and structural elements of exit strategies and contract termination processes.
  • Contracts for ICT services to support essential or important functions must include certain clauses, identified by the Regulations and DORA. They cover service levels, relationships with subcontractors, data security requirements, and the financial institution's audit rights over the provider.

The Regulations require financial institutions to adopt a policy that's flexible and proportionate to the overall level of risk, which should also be assessed considering the size and complexity of the services provided. The goal is to have an effective tool that can adequately support the institution at all stages of the relationship with the provider.

 

Delegated Regulation (EU) 2024/1774

The latest published RTS defines ICT risk management processes and policies. The goal of the RTS is to provide financial institutions with a guideline for adopting a comprehensive, clear and functional framework for managing ICT risk. This includes identifying and assessing and adopting all appropriate measures to contain it.

There are several measures and procedures that each financial institution should adopt:

  • In ICT security, a policy for cryptographic key management, taking into account data classification and risk assessment, ensuring that cryptographic measures are appropriate and targeted to the specific risks identified.
  • A policy for identifying and monitoring vulnerabilities and threats, both internal and external to ICT systems and operations.
  • A detailed procedure for managing ICT assets, which must include data.
  • A policy for managing production environments that provides for strict separation of production environments from testing and development environments to prevent conflicts of interest and ensure strict control over access and changes to production data and systems.
  • A procedure for acquiring and developing software packages, and effective and secure integration into the existing IT environment, in accordance with established business and information security objectives.

The policies, while numerous, should facilitate more informed ICT risk management and aim at overall process optimization and efficiency.

 

Enterprises will have to comply in a short period of time

In the run-up to January 17, financial entities, and ICT service providers, should have started the process of adapting to DORA. It will now also be necessary to implement the additional requirements under the RTS. These will have to be supplemented by the second set of Regulations that the ESAs are expected to finalize and send to the Commission in the coming days (containing subcontracting chain requirements and penetration testing standards).

In light of the numerous requirements and stringent timelines of the compliance journey, a valuable tool that all firms should consider is a progress and activity tracking report. It allows financial institutions to effectively monitor the compliance process and provides tangible evidence of their timely and accurate commitment to compliance, ready to be presented to relevant authorities during audits, inquiries and inspections. This tool is even more valuable considering that the second set of RTS and ITS, with related requirements, won't be published until close to next year, effectively complicating full compliance by January 17, 2025.

Another key step in complying with the requirements of DORA and the RTS is to adjust all contracts with ICT service providers to include the necessary clauses outlined in the regulations.

This complex process can only begin with an internal analysis phase. It's essential to accurately map the contracts that fall within the scope of DORA, identifying, through the policies provided, which services support essential or important functions. Next, an organizational phase will be necessary to identify which contracts should be adjusted first, according to criteria of risk, complexity and importance of services, and analysis of key gaps to be filled.

Once the internal preparation phase has been completed, it will be possible to start the actual adjustment by preparing a set of clauses that meet the requirements of both DORA and the new RTS and directly negotiating the inclusion of the clauses with each supplier. In this process, it will also be useful to have secondary clauses for use during the negotiation that, while meeting DORA requirements, are less stringent for the supplier and more readily acceptable.

Finally, it's crucial to strengthen the management body so it's adequately prepared to meet the responsibilities imposed by DORA and the RTS. This body, while reporting directly to, or being part of, the board of directors, will need to have specific legal and technical expertise and a clear understanding of all procedures and measures taken.

In general, the path to compliance should not be limited to a series of bureaucratic requirements but must be based on a thorough risk analysis and assessment, following criteria of proportionality and flexibility. Considering the new RTS and upcoming deadlines, the months until January 17 will be crucial to ensure proper compliance and implementation of all DORA requirements.

Print