Luxembourg - Financial Supervision – Consultation on the first batch of Digital Operational Resilience Act (DORA) policy products
In Brief
On 19 June 2023, the European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) launched a public consultation on the first batch of policy products under the Digital Operational Resilience Act (DORA). This includes three draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS).
These are the first four complimentary regulatory texts, containing detailed guidance that aim at ensuring a consistent and harmonised legal framework in the following areas: ICT risk management, major ICT-related incident reporting and ICT third-party risk management.
Regulatory background
DORA has mandated the ESAs to jointly develop altogether 13 policy instruments in two batches. This first batch of technical standards is clear proof that the ESAs, together with the Commission, have prepared a comprehensive and detailed set of complimentary regulatory texts that should not be taken lightly. The first set of the RTS and one ITS that entered into the public consultation are to be submitted by the ESAs to the European Commission by 17 January 2024, and are the following:
- RTS on ICT risk management framework and RTS on simplified ICT risk management framework;
- RTS on criteria for the classification of ICT-related incidents;
- ITS to establish the templates for the register of information;
- RTS to specify the policy on ICT services performed by ICT third-party providers.
The RTS on ICT Risk management framework further defines, in nine additional sections, the numerous empowerments to Article 15 and 16 of DORA, that focus among others on:
- ICT Governance,
- Encryption & Cryptography,
- ICT Asset Management,
- Network Security &
- ICT and ICT and Information Security awareness and training.
Some of the presented requirements, in particular those related to reporting obligations which now have a dedicated format to be followed, will certainly be entirely new for many financial entities.
The incident reporting aspect of DORA has also received further clarification regarding the classification of related ICT incidents as well as the various materiality thresholds that will render an incident as major, or potentially as significant cyber threat that will require a thorough reporting to the relevant national authority.
Lastly, the ITS on Register of Information establishes a new challenge for the financial entities which will need to carefully map their ICT service supply chain, potentially up to several layers of sub-providers, including any ICT third-party that is supporting the financial entity, as well as assess their critical or important functions.
What’s next?
The consultation runs until 11 September 2023 and is open to all participants who may submit their comments to the ESAs. Additionally, the ESAs are organising a public hearing in the form of a webinar on 13 July 2023.
This batch of technical standards shall be submitted to the European Commission by 17 January 2024.
Contact us
Michael Horvath
Advisory Partner, Sustainability Leader, PwC Luxembourg
Tel: +352 49 48 48 3612
Koen Maris
Advisory Partner, Cybersecurity & Privacy Leader, PwC Luxembourg
Tel: +352 49 48 48 2096