ESAs Issue Initial Rules under DORA, Addressing ICT, Third-Party Risk Management, and Incident Classification

RTS on ICT risk management framework and on simplified ICT risk management framework

The proposed RTS for the ICT risk management framework introduce additional components aimed at standardizing tools, methods, processes, and policies related to ICT risk management. These components complement the ones outlined in DORA. The RTS outline the essential elements that financial entities falling under the simplified regime and those of smaller scale, lower risk, size, and complexity should implement, thereby establishing a streamlined ICT risk management framework. These standards are designed to harmonize ICT risk management requirements across various financial sectors.

RTS on criteria for the classification of ICT-related incidents

These RTS specify the criteria used for categorizing significant ICT-related incidents, outlining the methodology for their classification, as well as the materiality thresholds associated with each classification criterion. Additionally, the RTS provide criteria and materiality thresholds for the identification of significant cyber threats. They also specify the criteria that competent authorities should employ when assessing the pertinence of incidents that might involve competent authorities in other EU Member States. Furthermore, the RTS detail the information that should be exchanged concerning these incidents. Overall, the RTS aim to establish a consistent and straightforward process for classifying incident reports across the entirety of the financial sector.

RTS on ICT TPP policy

These RTS define specific aspects of the governance structure, risk management, and internal control framework that financial entities must establish when engaging ICT third-party service providers. The objective is to guarantee that financial entities maintain control over operational risks, information security, and business continuity throughout the entire duration of their contractual relationships with these ICT third-party service providers.

ITS on the register of information

Finally, the ITS set out the templates to be maintained and updated by financial entities in relation to their contractual arrangements with ICT third-party service providers. The register of information will play a crucial role in the ICT third-party risk management framework of the financial entities and will be used by competent authorities and ESAs in the context of supervising financial entities’ compliance with DORA and to designate critical ICT third-party service providers that will be subject to the DORA oversight regime.

Next steps

The final draft technical standards have been submitted to the European Commission. The Commission will now commence the review process with the aim of adopting these initial standards in the upcoming months.