ESAs Release Comprehensive DORA Policy Package, Enhancing EU Financial Sector's Digital Resilience

The European Supervisory Authorities (ESAs) - comprising the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority - have unveiled their second batch of policy products under the Digital Operational Resilience Act (DORA) on July 26, 2024. This extensive package, aimed at bolstering the digital operational resilience of the EU's financial sector, includes four final draft Regulatory Technical Standards (RTS), one set of Implementing Technical Standards (ITS), and two guidelines.

Central to this release is the joint Final Report on draft RTS for subcontracting information and communication technology (ICT) services. This crucial document outlines requirements for financial entities when subcontracting ICT services that support critical or important functions. The standards cover the entire lifecycle of contractual arrangements with ICT third-party service providers, from initial risk assessment and due diligence to ongoing monitoring and eventual exit strategies.

The subcontracting RTS, mandated by Article 30(5) of DORA, addresses a key concern in the financial sector's increasing reliance on external ICT services. It requires financial entities to maintain robust oversight of their ICT subcontracting chain, ensuring they can effectively monitor and manage risks associated with critical services. Importantly, the standards emphasize that subcontracting arrangements, including those within a group, do not diminish a financial entity's responsibility for risk management and regulatory compliance.

In developing these standards, the ESAs have taken into account the diverse landscape of the financial sector, considering factors such as the size, overall risk profile, and operational complexity of different entities. This approach aims to ensure the standards are both comprehensive and adaptable to various organizational contexts within the financial industry.

The package also introduces significant measures for incident reporting and cybersecurity testing. The RTS and ITS on reporting major ICT-related incidents and significant cyber threats aim to standardize the content, format, and timelines for such reports across the EU financial sector. This standardization is expected to enhance the sector's collective ability to respond to and learn from significant ICT incidents.

Another noteworthy component is the RTS on threat-led penetration testing (TLPT). This standard sets out a framework for conducting advanced cybersecurity tests, which simulate real-world attack scenarios. By mandating such rigorous testing, the ESAs aim to identify and address potential vulnerabilities in financial entities' ICT systems before they can be exploited by malicious actors.

The guidelines on estimating costs and losses from major ICT-related incidents provide a methodological framework for financial entities to assess the financial impact of such events. This is expected to aid in risk management and resource allocation decisions, as well as provide valuable data for the broader financial ecosystem.

In developing these standards, the ESAs engaged in extensive consultation with industry stakeholders and relevant EU bodies. The European Central Bank and the European Union Agency for Cybersecurity were specifically consulted on the incident reporting standards, ensuring alignment with broader EU cybersecurity initiatives.

As the next step, the ESAs have submitted the draft RTS to the European Commission for adoption. Once adopted, these standards will require financial institutions across the EU to review and potentially overhaul their ICT practices, particularly in areas of third-party service provision and subcontracting.

This comprehensive policy package represents a significant leap forward in the EU's efforts to create a more resilient and secure digital infrastructure for its financial sector. By addressing key areas such as subcontracting, incident reporting, and cybersecurity testing, the ESAs are laying the groundwork for a financial system that can withstand the evolving challenges of the digital age while ensuring the continuous provision of services and the protection of customer data.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.