Four draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS) are included in this consultation. The primary objective of these technical standards is to create a consistent and harmonised legal framework for ICT risk management, major ICT-related event reporting, and ICT third-party risk management.
The first set of technical standards must be submitted to the European Commission by 17 January 2024 and include the following:
- Regulatory Technical Standards (RTS) on ICT risk management framework and simplified ICT risk management.
- Regulatory Technical Standards (RTS) governing the classification of ICT-related occurrences.
- Implementing Technical Standards (ITS) for establishing templates for the information register.
- Regulatory Technical Standards (RTS) to define the policy for ICT services provided by third-party ICT providers.
The development of these draft technical standards aligns with DORA (Regulation (EU) 2022/2554) Articles 15, 16(3), 18(3), 28(9), and 28(10).
The Digital Operational Resilience Act (DORA) came into effect on 16 January 2023, and will be applicable from 17 January 2025. Its main objective is to strengthen the digital operational resilience of entities in the European Union's financial sector, while also ensuring greater uniformity in the key requirements for digital operational resilience among all EU financial entities. This legal framework addresses critical areas such as ICT risk management, incident management and reporting, testing of digital operational resilience, and handling ICT third-party hazards.
How can BDO help?
Achieving compliance with the onerous DORA obligations within the stipulated timeframe will be challenging and time-consuming. While DORA allows a transition period until 17 January 2025, BDO recommends that in-scope organisations kick-off preparations immediately.
BDO recommends adopting a phased approach whereby the in-scope entities chart a DORA Compliance Program with the aim of achieving DORA compliance by the end of the transition period. Failure to achieve compliance may lead to severe fines from January 2025 onwards. We can help you with DORA compliance by providing expert guidance on the regulation, conducting risk assessments and gap analysis, developing and implementing incident management and business continuity plans, and providing ongoing support and monitoring.