May 17, 2024

Preparing for DORA: Summary of the final drafts of the first batch of regulatory technical standards

Listen to this article

NAVIGATING DORA: A SUMMARY OF THE FINAL REGULATORY STANDARDS

This document summarizes the final drafts of the initial set of regulatory technical standards (RTS) for the Digital Operational Resilience Act (DORA).

DORA, a European Union regulation, aims to bolster the digital resilience of the financial sector. It applies to a broad range of financial institutions, including banks, investment firms, and insurance companies.

RTS provides specific details and implementation methods for fulfilling the core principles and obligations established by DORA. It was released by the European Supervisory Authorities (ESAs) for the financial sector on January 17, 2024.

ESSENTIAL PRACTICES FOR MANAGING ICT RISKS IN MANAGEMENT FRAMEWORK

A new Regulatory Technical Standard (RTS) outlines key principles for managing Information and Communication Technology (ICT) risks in the financial sector. This standard aims to harmonize the way financial institutions approach ICT risk management across the EU.

Here are the eight key areas the RTS focuses on, requiring financial institutions to develop and implement policies around:

      • ICT Asset Management – ensures proper monitoring and management of the entire lifecycle of ICT assets, including record-keeping.

      • Encryption and Cryptographic Controls – are designed based on approved data classification and ICT risk assessments.

      • ICT Project Management – ensures effective management of ICT projects related to the acquisition, development, and maintenance of the institution’s ICT systems.

      • Physical and Environmental Security – safeguards ICT assets and information based on cyber threats, data classification, and overall risk profile.

      • Human Resources – integrates ICT security responsibilities into existing HR policies, ensuring personnel awareness and accountability.

      • Identity Management and Access Control – ensures proper identification and authentication of users accessing the institution’s information, enabling appropriate access control.

      • ICT-related Incident Management – outlines procedures for documenting, managing, and resolving ICT-related incidents through technical, organizational, and operational measures.

      • ICT Business Continuity – defines the objectives, scope, timeframe, and criteria for ensuring business continuity in case of ICT disruptions.

    It’s important to note that further technical standards on advanced threat-based penetration testing of ICT systems are expected on July 17, 2024.

    RTS CRITERIA

    This harmonized approach streamlines incident reporting and threat analysis across the EU, enhancing collaboration and response efforts within the financial sector.

    1. Classifying Major ICT Incidents

    Covers factors like:

        • Client, Financial Counterparts, and Transactions: How many were impacted by the incident?

        • Reputational Impact: Did the incident damage the institution’s reputation?

        • Service Disruption: How long did the incident last and what services were affected?

        • Geographical Spread: Did the incident impact multiple locations?

        • Data Loss: Were any sensitive data compromised?

        • Economic Impact: What were the financial losses caused by the incident?

      2. Identifying Significant Cyber Threats

      Considers threats with the potential to affect:

          • Critical Functions: Could the threat disrupt essential financial services?

          • Financial Institutions: Could it impact other financial entities or their clients?

          • Third-Party Providers: Could the threat compromise services provided by third parties?

          • Probability of Occurrence: How likely is the threat to materialize?

        3. Sharing Incident Information with Authorities

        utlines when incidents should be reported to competent authorities in other EU countries, based on:

            • Origin of the Incident: Did the attack originate from another member state?

            • Impact on Other Countries: Did the incident significantly impact clients, markets, or institutions in other member states?

          RTS POLICY ON ICT SERVICES

          Regulatory Technical Standard (RTS) outlines specific requirements for financial institutions using ICT third-party service providers (TPPs) for critical or important functions. The standard focuses on three key aspects:

          1. Governance and Internal Controls

              • Financial institutions must establish a governance framework, risk management procedures, and internal controls for managing these relationships with TPPs.

              • The framework includes assigning clear internal responsibilities for approving, managing, documenting, and overseeing the relevant contracts.

              • Financial institutions also need to ensure their staff possess the skills, experience, and knowledge necessary to effectively oversee these arrangements.

            2. Senior Management Oversight

                • The standard mandates the clear identification of senior management responsible for monitoring these critical third-party partnerships.

                • It further requires ensuring the contractual agreements align with the financial institution’s overall ICT risk management framework.

              3. Independent Review and Audit

                  • Financial institutions are required to subject critical or important ICT services provided by TPPs to independent review.

                  • Additionally, these services must be included in the institution’s internal audit plan.

                  • The standard aims to ensure robust oversight and risk management practices when financial institutions rely on critical ICT services delivered by external providers.

                The EU plans to publish further technical standards on assessing and overseeing TPPs on July 17, 2024.

                ITS TEMPLATES

                Implementing Technical Standard (ITS) establishes 15 standardized templates for financial institutions to use in their register of information regarding ICT third-party service providers (TPPs).

                Benefits of Standardization

                    • Universal Usage: These templates apply to all financial institutions, regardless of size or structure, ensuring consistency across the sector.

                    • Simplified Reporting: The unified format simplifies information reporting for both financial institutions and regulatory authorities.

                    • Enhanced Transparency: Standardized templates promote transparency by guaranteeing consistent capture of relevant details about TPP relationships.

                    • Information Covered:

                  The 15 templates encompass a comprehensive range of information, including:

                      • Entity details – Identification of the reporting entity and its subsidiaries.

                      • Contract specifics – Specific details of each contractual agreement with a TPP.

                      • Parties involved – Entities on both sides of the agreement (those receiving and providing the ICT service).

                      • Service criticality – Evaluation of the criticality of the ICT service provided by the TPP.

                      • Internal definitions – Definitions and terminology used by the reporting entity regarding ICT services.

                    ITS aims to streamline information reporting and enhance transparency in how financial institutions manage their relationships with ICT TPPs. This standardization ultimately contributes to a more secure and robust financial sector.

                    WHAT’S NEXT?

                    The final drafts of the Regulatory Technical Standards (RTS) for DORA (Digital Operational Resilience Act) are currently undergoing the final approval process by the European Commission, Parliament, and Council.

                    Key Dates

                        • Once approved – The final versions of the RTS will be published.

                        • Implementation – The RTS is expected to be adopted in the coming months and will apply to all financial entities under DORA.

                        • Enforcement – The expected enforcement date is January 17, 2025.

                      Financial institutions can use this time to prepare for DORA compliance by following these steps:

                      1. Inventory and Mapping

                      Review your current:

                          • Inventory of ICT third-party service providers (TPPs).

                          • Contractual arrangements with TPPs.

                          • Map these details to the standardized templates provided by the Implementing Technical Standard (ITS).

                        2. Systems and Processes

                        Establish or improve systems and processes for:

                            • Collecting, validating, and updating information required for the register of information on TPPs.

                            • Reporting this information regularly.

                            • Monitoring changes in the risk profile and performance of TPPs.

                          3. Collaboration with TPPs

                          Communicate with your TPPs about:

                              • Their reporting obligations and expectations.

                              • The need for their cooperation in providing information.

                              • The need for their cooperation in providing information.

                              • Consider amending contracts with TPPs to require their compliance with reporting requirements.

                            4. Policy and Procedures

                              • Develop or update policies and procedures to govern the management of the register of information, including:

                              • Roles and responsibilities of personnel involved.

                              • Escalation and reporting mechanisms for identified issues.

                              • Audit and review activities to ensure ongoing compliance.

                            By taking these proactive steps, financial institutions can ensure a smooth transition to DORA compliance and contribute to a more secure and resilient financial sector within the EU.

                            Interested in speaking with our consultants? Click here to get in touch

                             

                            Some sections of this article were crafted using artificial intelligence technology