Launched on June 19 by the European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs), the consultation focuses on the first batch of policy products under the Digital Operational Resilience Act (DORA). This includes four draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS).
DORA was adopted on November 22, 2022 and will apply from 17 January 2025 (read our previous piece here for more information).
The consultation papers focuses on the following standards:
1/RTS on ICT risk management framework and RTS on simplified ICT risk management framework, including requirements for:
ICT security policies, procedures, protocols and tools (including requirements on: governance, ICT risk management, ICT asset management, encryption and cryptography, ICT operations security, network security, ICT project and change management, physical security, ICT and information security awareness and training).
Human resources policy and access control
ICT-related incident detection and response
ICT business continuity management
Report on the ICT risk management framework review
2/RTS on criteria for the classification of ICT-related incidents setting out harmonised requirements for financial entities on:
The classification of ICT-related incidents by financial entities
The classification approach and materiality thresholds for determining major ICT-related incidents to be reported from financial entities to competent authorities.
The criteria and the thresholds to be applied when classifying significant cyber threats.
The criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT-related incidents to relevant competent authorities in host Member States and the details of the information to be shared with them.
3/ITS to establish harmonised templates for the register of information to be maintained by financial entities covering all contractual arrangements on the use of ICT services provided by ICT third-party service providers at individual, consolidated, and, sub-consolidated level.
4/RTS to specify the policy on ICT services performed by ICT third-party providers
The draft standards set out the requirements for all phases that should be undertaken by financial entities regarding the life cycle of ICT third-party arrangements management (i. E. the precontractual phase; the implementation, monitoring and management of contractual arrangements for the use of ICT services supporting critical or important functions; and the exit strategy and the termination processes).
These technical standards aim to ensure a consistent and harmonised legal framework in the areas of ICT risk management, major ICT-related incident reporting and ICT third-party risk management.
Responses to the consultation must be provided by 11 September 2023.