top of page
  • Writer's pictureDeborah

Launched on June 19 by the European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs), the consultation focuses on the first batch of policy products under the Digital Operational Resilience Act (DORA). This includes four draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS).

DORA was adopted on November 22, 2022 and will apply from 17 January 2025 (read our previous piece here for more information).

The consultation papers focuses on the following standards:

1/RTS on ICT risk management framework and RTS on simplified ICT risk management framework, including requirements for:

  • ICT security policies, procedures, protocols and tools (including requirements on: governance, ICT risk management, ICT asset management, encryption and cryptography, ICT operations security, network security, ICT project and change management, physical security, ICT and information security awareness and training).

  • Human resources policy and access control

  • ICT-related incident detection and response

  • ICT business continuity management

  • Report on the ICT risk management framework review

  • Proportionality

2/RTS on criteria for the classification of ICT-related incidents setting out harmonised requirements for financial entities on:

  • The classification of ICT-related incidents by financial entities

  • The classification approach and materiality thresholds for determining major ICT-related incidents to be reported from financial entities to competent authorities.

  • The criteria and the thresholds to be applied when classifying significant cyber threats.

  • The criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT-related incidents to relevant competent authorities in host Member States and the details of the information to be shared with them.

3/ITS to establish harmonised templates for the register of information to be maintained by financial entities covering all contractual arrangements on the use of ICT services provided by ICT third-party service providers at individual, consolidated, and, sub-consolidated level.

4/RTS to specify the policy on ICT services performed by ICT third-party providers

  • The draft standards set out the requirements for all phases that should be undertaken by financial entities regarding the life cycle of ICT third-party arrangements management (i. E. the precontractual phase; the implementation, monitoring and management of contractual arrangements for the use of ICT services supporting critical or important functions; and the exit strategy and the termination processes).

These technical standards aim to ensure a consistent and harmonised legal framework in the areas of ICT risk management, major ICT-related incident reporting and ICT third-party risk management.

Responses to the consultation must be provided by 11 September 2023.

Recent Posts

See All

Product Corner - VAs : Quèsaco

Virtual Assets (VAs) or crypto assets refer to : “any digital representation of value that can be digitally traded, transferred or used for payment. It does not include digital representation of fiat

Upcoming Regulatory Deadlines to Watch

10 Aug 2023 - Deadline to submit comments to FCA Guidance Consultation (GC23/1) on crypto asset financial promotions. 5 Sep 2023 - Effective date of SEC Cybersecurity Risk Management, Strategy, Govern


bottom of page