On 17 July 2024, the European Supervisory Authorities ("ESAs") finalised the second batch of DORA level 2 texts complementing the regulatory obligations under Regulation (EU) 2022/2554 on Digital Operational Resilience for the financial sector ("DORA Regulation").
The DORA Regulation indeed mandated the ESAs to prepare jointly a set of policy products with two main submission deadlines to the European Commission on 17 January 2024 (first batch) and 17 July 2024 (second batch). However, the level 2 rules on subcontracting of critical or important functions (Article 30(5) of DORA), which were also expected to be included in the second batch (and which were eagerly awaited by financial entities and ICT third party service providers) are still to be finalised and the ESAs indicated in their press release that these remaining level 2 rules will be published "in due course".
A few days before, the Luxembourg law of 1 July 2024 implementing certain aspects of DORA and transposing Directive (EU) 2022/2556, which aims to include a cross-reference to DORA in financial sector directives with a view to ensuring compliance with DORA as regards the organisational requirements to be put in place by financial entities, was also published in the Luxembourg official gazette ("DORA Law"). In this context, the Commission de Surveillance du Secteur Financier ("CSSF") and the Commissariat aux Assurances ("CAA") have been designated as competent authorities in Luxembourg responsible for ensuring the compliance of their respective supervised financial entities with DORA, and have been vested with the supervisory, investigatory and sanctioning powers necessary for the performance of their duties within the limits defined by DORA.
Like DORA, the DORA Law as well as the first batch and second batch of EU policy products will start to apply as from 17 January 2025.
This Newsflash focuses on the second batch of DORA EU level 2 supplementing texts published by ESAs on 17 July.
WHAT IS NEW IN THE SECOND BATCH?
In a nutshell, the second batch issued by the EAS include the following final reports on draft regulatory technical standards ("RTS"), draft implementing technical standards ("ITS") and joint guidelines ("GL"), all of which aim at enhancing the digital operational resilience of the EU's financial sector.
1. RTS and ITS
1.1. Final report - Draft RTS and ITS on content, format, timelines and templates for reporting major ICT-related incidents and significant cyber threats (Article 20 (a) and (b) of DORA)
The ESAs have listened to the comments of the respondents in the consultation process and have agreed to be more flexible in the last draft RTS and ITS with respect to certain requirements, such as:
- The content of major ICT-related incident/significant cyber threat reports, which has been specified and notably the number of fields to be completed have been reduced; and
- The timeline for submission of initial, intermediate and final reports for each major incident has been relaxed notably to (i) increase to 72 hours from the initial notification (instead of 72 hours from the classification of the incident as major) the delay to submit the intermediate report and (ii) limit the reporting requirements during the week-end notably on the basis that not all financial entities keep a 24/7 incident reporting support function. This being said, the strict deadline for the initial notification (i.e. 4 hours from the classification of the incident but no later than 24 hours from the moment the financial entity has become aware of the incident) is kept.
It is worth noting that, in addition, the ESAs issued a press release on 17 July 2024 according to which the ESAs will establish a EU systemic cyber incident coordination framework ("EU-SCICF") in the context of DORA, which will strengthen the coordination among financial authorities and other relevant bodies in the European Union, as well as with key actors at international level.
1.2. Final report - Draft RTS on threat-led penetration testing (Article 26(11) of DORA)
As a general background, threat lead penetration testing ("TLPT") as required by Article 26(11) of DORA is the obligation for certain financial entities to organise controlled attempts to compromise their cyber resilience by simulating the tactics, techniques and procedures of real-life threat actors to test their systems.
In this respect, the last draft RTS set out:
- Specific criteria to identify financial entities required to perform TLPT and confirmation that the "TLPT authorities" should exclude from the scope of TLPT those financial entities operating in core financial services subsectors for which TLPT is not justified; and
- Requirements applicable to the use of external and internal testers and testing methodology and to the possibility for financial entities to rely on pooled or joint TLPT.
1.3. Final report - Draft RTS on harmonisation of conditions enabling the conduct of the oversight activities (Article 41(1), (a), (b) and (d) of DORA)
The last draft RTS include:
- Specification of the scope of information to be provided by ICT third-party service providers ( "TPSP") designated as critical to the "lead overseer" as defined under DORA (being either ESMA, EBA or EIOPA); and
- Details of competent authorities' assessment of the measures taken by critical ICT TPSP.
1.4. Final report – Draft RTS on the criteria for determining the composition of the joint examination team ("JET") (Article 41(1), (c) of DORA)
Under DORA, the ICT TPSP designated as critical will be subject to an oversight framework, and these RTS specify the criteria for determining the composition and tasks of the JET (to be composed of a balanced participation of staff members from the ESAs and from the relevant competent authorities), which JET will assist the "lead overseer" conducting the oversight activities.
It has to be noted that these draft RTS could be merged by the European Commission before their final adoption in a single document with the other draft RTS on the harmonisation of conditions enabling the conduct of the oversight activities.
2. GL
2.1. Final report - GL on aggregated costs and losses from major incidents (Article 11(11) DORA)
- Reporting covering the gross costs and losses caused by major ICT-related incidents; and
- Financial entities may choose whether the reference year for reporting should correspond to the calendar year or accounting year.
2.2. Final report - GL on oversight cooperation between ESAs and competent authorities (Article 32(7) of DORA)
- Procedures and conditions for allocation/executions of tasks; and
- Exchanges of information to ensure follow-up recommendations addressed to critical ICT TPSP.
NEXT STEPS
The final draft RTS and ITS have been submitted to the European Commission, who will review them with the objective to adopt them formally in the coming months before the DORA application deadline (i.e. 17 January 2025).
The GL should also apply from 17 January 2025.
PRACTICAL IMPACT
The publication of this second batch of DORA supplementing documents will speed up the process at the level of financial entities, which now have six months left to become DORA compliant (i.e. by 17 January 2025).
ICT register and ICT policy are two key points of attention to be tackled by financial entities as soon as possible to meet the 17 January 2025 deadline. The update of the agreements with ICT TPSP will be impacted by the RTS on subcontracting of critical or important functions which are still to be published by the ESAs.
→ To access the brochure consolidating DORA Regulation and DORA level 2 texts, click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.