This comprehensive package encompasses four draft regulatory technical standards (RTS), one set of draft implementing technical standards (ITS) and two sets of guidelines (GL). These policy instruments aim to ensure a consistent and harmonised legal framework in the areas of major ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management and oversight over critical ICT third-party providers. By addressing these critical aspects, the ESAs aim to fortify the digital infrastructure of financial entities and ensure a resilient and secure operational environment.
Policy Focus: Building a Robust Digital Framework
The consultation period is set to run until March 4, 2024, providing stakeholders and industry participants with a window to contribute their insights and feedback. This inclusive approach reflects the ESAs' commitment to gathering diverse perspectives and ensuring that the resulting regulatory framework is well-informed and effective.
We are pleased to share BDO’s deep dive into the contents the consultation paper that includes two set of standards:
- Regulatory technical standards (RTS) on the content of the notification and reports for major incidents and significant cyber threats and determining the time limits for reporting major incidents; and
- Draft Implementing Technical Standards (ITS) On the standard forms, templates and procedures for financial entities to report a major incident and to notify a significant cyber threat
These RTS and ITS are closely linked to the draft RTS on specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under the DORA Regulation, which was publicly consulted on by 11 September 2023.
Scope and timelineThis RTS and ITS apply to all financial entities that are subject to Digital Operational Resilience for the financial sector (DORA), Regulation (EU) 2022/2554, which covers credit institutions, investment firms, insurance and reinsurance undertakings, payment service providers, electronic money institutions, central securities depositories, central counterparties, trade repositories, and credit rating agencies. The RTS and ITS also apply to ICT third-party service providers that provide ICT services supporting critical or important functions to financial entities. The public consultation on the draft RTS runs until 4 March 2024, and the ESAs aim to submit the final RTS to the European Commission for adoption in July 2024.
ConclusionThe RTS on the content of the notification and reports for major incidents and significant cyber threats and determining the time limits for reporting major incidents and ITS on the standard forms, templates and procedures for financial entities to report a major incident and to notify a significant cyber threat under DORA represent significant steps towards a unified and efficient framework for managing digital operational resilience in the EU financial sector. By standardising reporting procedures and timelines for major ICT-related incidents and cyber threats, these standards aim to enhance the sector's ability to respond to and recover from such events, thereby protecting the financial markets and their participants.
With the ESAs aiming to submit the final RTS and ITS to the European Commission in July 2024, stakeholders should use this opportunity to strengthen their digital operational resilience, ensuring a seamless transition into the new regulatory landscape.
BDO Malta: Your Trusted Partner for DORA Compliance
The European Union has set January 17th, 2025 as the deadline to achieve DORA compliance. While this might seem a distant target, in fact achieving DORA compliance is a very complex and challenging task which requires a concerted effort by the in-scope financial entities. At BDO Malta, we understand the profound impact that the journey towards DORA compliance has on such organisations. Our team of regulatory and compliance technical experts is dedicated to helping your company navigate this complex environment. Our comprehensive range of services includes:
- Board and Management Training on DORA;
- Expert guidance on DORA compliance;
- Performing gap analyses;
- Conducting risk assessments;
- Developing and implementing incident management and business continuity plans;
- Providing continuous support and monitoring.
Want to know more?
Get in touch