A Closer Look at DORA’s Regulatory and Implementing Technical Standards (RTS/ITS)

The European Supervisory Authorities (ESAs), comprising of the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), play a pivotal role in the implementation and enforcement of the Digital Operational Resilience Act (DORA). They serve as a central authority in the implementation and oversight of DORA, working to ensure the digital operational resilience of financial entities in the EU. 

The ESAs, through the Joint Committee (JC) have been tasked with collectively developing a total of 13 policy instruments. These documents, so-called ‘technical standards’ are a particular category of level 2 mandates that must be drafted and submitted to the Commission. In addition, the Commission is also set to introduce two delegated acts regarding the oversight of third parties as complementary measures to the DORA regulation. The first will pertain to the criteria used for designating critical ICT third-party providers, while the second will focus on the fees associated with the execution of oversight responsibilities.

The EC and ESAs have established a two-year transition period spanning 2023 and 2024, allowing companies to prepare for and implement DORA. During this phase, the ESAs will work on refining these technical standards and providing more specific regulatory guidance.

• Guidelines on the estimation of annual costs and losses caused by major ICT- related incidents. (Article 10)
• RTS on the reporting of major ICT-related incidents to authorities (Article 20.1(a))
• ITS on templates and procedures for the reporting of major ICT-related incidents (Article 20.1(b))
• RTS on advanced testing (TLPT) requirements in accordance with the TIBER framework (Article 26)
• RTS specifying the contractual provisions when subcontracting ICT services supporting critical or important functions. (Article 30)
• Delegated Act from the Commission on the criteria for the designation of critical ICT third-party providers (Article 31)
• Guidelines on the cooperation between ESAs and competent authorities on the structure and detailed procedures of the oversight framework. (Article 32)
• RTS on the information to be provided by the critical third party service provider to the Lead Overseer (Article 41)
• Delegated Act from the Commission on the fees in relation to the conduct of oversight tasks. (Article 43)

• RTS on ICT risk management framework and RTS on simplified ICT risk management framework;
• RTS on criteria for the classification of ICT-related incidents;
• ITS to establish the templates for the register of information;
• RTS to specify the policy on ICT services performed by ICT third-party providers.

After considering the input gathered during the public consultation, the legal instruments will undergo finalisation and are slated for submission to the European Commission no later than January 17, 2024.

Regardless of your current stage in the development of your digital and operational resilience, DORA should serve as the driving force to initiate or enhance your resilience efforts. Considering that we are currently at the midway point of the two-year preparatory phase, financial organizations should already be in the process of conducting thorough gap analyses to assess their readiness for DORA.

This proactive approach will help pinpoint areas that demand additional investments and strategic prioritisation well in advance. It positions your organisation to effectively address more intricate demands like third-party risk management, threat intelligence, and advanced security assessments, thereby proactively fortifying itself against potential shortcomings.