Skip to content

DORA is coming: ESAs release second batch of policy products

The ESAs, the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA), have published the second batch of policy products under the Digital Operational Resilience Act (DORA).

This batch consists of four final draft regulatory technical standards (RTS), one set of Implementing Technical Standards (ITS) and two guidelines, all of which aim at enhancing the digital operational resilience of the EU’s financial sector.

The public consultation on the above-mentioned technical standards and guidelines took place from 8 December 2023 to 4 March 2024. 

DORA seeks to harmonize existing regulations, integrate information and communication technology (ICT) risks into comprehensive risk management frameworks, and enhance transparency in relationships with ICT third-party providers. This landmark regulation, which applies to nearly all financial entities in Europe, is poised to drive significant changes in internal operations, necessitating strategic business decisions, updated operational and ICT structures, and increased efforts in training and upskilling.

A key highlight of DORA is its extra-territorial reach, requiring entities outside the EU that provide ICT services to comply with its provisions if serving financial entities within the EU.

Final draft technical standards published

On July 17, the ESAs published the following final draft technical standards:

  • RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats.
    These requirements will need to be addressed through operational risk management frameworks and contract remediation efforts with technology vendors.
    This RTS and ITS are closely linked to the draft RTS on specifying the criteria for the classification of ICT-related incidents, materiality thresholds for major incidents and significant cyber threats under Regulation (EU) 2022/2554, which was published by the ESAs on 17 January 2024.

  • RTS on the harmonization of conditions enabling the conduct of the oversight activities.
    The RTS set out the requirements for standardising oversight activities, such as general investigations or inspections, to be conducted by the ESA acting as the designated Lead Overseers (LO) for Critical ICT third-party service providers (CTPPs).

  • RTS specifying the criteria for determining the composition of the joint examination team (JET).
    The LO will receive support from a JET comprising of the ESAs and CAs to conduct oversight activities for the CTPPs. The RTS outline the criteria for establishing a JET, including its tasks and working arrangement.

    The Joint Regulatory Technical Standards on the criteria for determining the composition of the joint examination team (JET) lay out the criteria for determining the composition of the joint examination teams – ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities. This also includes the designation of the members, their tasks, and working arrangements.

  • RTS on threat-led penetration testing (TLPT).
    Threat-led penetration testing (TLPT)’ means a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems.

The set of guidelines include:

  • Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents; and
  • Guidelines on oversight cooperation.

Read more, here.

DORA is less than six months away

Beginning January 17, 2025, financial entities based in the EU must have in place processes and policies, and mandatory contract provisions with their third-party technology vendors, that comply with DORA.

As we wrote already in our previous materials, DORA aims to mitigate systemic and concentration risks stemming from the financial sector’s dependence on a few information and communication technology (ICT) third-party providers (TPPs). It establishes an oversight framework for EU TPPs, which the three EU supervisory authorities consider “critical to the stability and integrity of the [EU] financial system” and designate as critical TPPs.

Here, we wrote about this and DORA’s key requirements in more detail.

Non-EU Technology Providers will become subject to DORA

Importantly, in addition to the provisions of DORA that apply to EU financial entities, DORA will also apply to critical third-party providers (TPPs) that provide services such as information and communication technology to EU financial entities. 

This means that DORA is expected to apply to non-EU TPPs, including those in the US and UK, that offer services to EU financial entities such as banks, broker-dealers, insurers, and others. 

How can we help?

Our multidisciplinary team of business analysts, regulatory reporting, data and technology experts have the dedicated knowledge and expertise to help clients meet the challenge of DORA compliance.

Working alongside our clients on similar compliance journeys, we support them as a technology and strategic partner.  

In our role as a strategic partner, we offer an overview of the regulation to the Board of Directors and other key stakeholders. This includes an introduction to DORA, its timeline, an overview of its five core pillars, and its key implications. By monitoring the evolution of DORA and its associated regulatory and technical standards, we keep our clients informed about the latest updates and their impact on processes.

To meet regulatory requirements and address reporting challenges, BR-AG provides the technology and services needed to achieve DORA compliance in an automated manner, optimizing time, resources, and cost.

Contact us to learn how we can assist you in achieving DORA compliance:

We’ll be keeping a close eye on the upcoming developments related to DORA. Sign up for our newsletter to stay in the know.

Follow us on →