ESAs publish first set of rules for digital operational resilience in the EU

The three European Supervisory Authorities (ESAs) which monitor financial system risks have published the final draft technical standards under the Digital Operational Resilience Act (DORA).

DORA establishes the rules for financial services firms in the EU on how to handle cyber risk, incident reporting, resilience testing, and third-party risk and outsourcing. The act’s objective is to improve the digital operational resilience of the EU financial sector.

Financial entities, as well as their supply chains, will have to comply with the standards made under DORA to enhance their digital operational resilience. Failure to do so may result in enforcement action, including fines.

The standards include Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). The RTS are rules set by the European Supervisory Authorities (ESAs) to ensure consistent application of EU legislation. They set out specific criteria to facilitate the application of the law and contain detailed requirements to support the implementation of DORA.

The four sets of standards finalised include requirements for ICT risk management and incident classification. The remaining two standards consist of a policy on ICT third-party services supporting critical or important functions and a register of information setting out contractual arrangements on the use of ICT services provided by ICT third-party service providers.

“This is the first of two sets of regulatory technical standards to be finalised under DORA,” said fintech expert Luke Scanlon of Pinsent Masons. “Financial entities will now want to adjust their approach towards complying with DORA to ensure that they are capturing all relevant requirements set out in these standards while also taking into account those that will be set out on the second batch of standards to be finalised later this year,” said Luke Scanlon of Pinsent Masons, who specialises in technology contracts in financial services.

ICT risk management is the process of finding, evaluating, and managing risks associated with the use of information and communication technology (ICT) in financial entities. Incident classification, however, involves categorising and dealing with various sorts of ICT-related problems or threats, such as cyber-attacks or system failure.

The ITS, in contrast, specify how the relevant legislation is to be implemented in practice. They give the essential information for the implementation of RTS, functioning like practical instructions. ITS were developed to establish the templates for the register of information related to contractual arrangements with ICT third-party service providers.

DORA does not take effect until January 2025 and these rules will not apply until they have been adopted by the European Commission. The publication of these rules counts as a step in the ongoing process of finalising the new framework. The European Commission will have to first review and then enforce these standards to ensure their application in the EU financial sector.