DIGITAL Operational RESILIENCE | Current status of the delegated acts

The delegated acts under the DORA Regulation deal with various aspects of DORA and provide financial companies with more information on implementation and the legislator’s requirements.

We have taken a closer look at the legal acts and compiled some information for you, based on the date of their planned publication.

Critical ICT service providers: monitoring fees and classification criteria

Update from November 16, 2023: Both legal acts are available as European Commission initiatives. Feedback will be accepted until 14.12.2023.

The ESAs approached market participants at the end of May 2023 with a discussion paper in order to take their input into account in an advice to be submitted to the European Commission by September 30, 2023. The ESAs submitted their opinion to the Commission at the end of September.

The two legal acts address critical ICT third-party service providers, specifically the criteria for their identification and the supervisory fees to be paid by them. The publication of the Commission’s final delegated regulations is planned by July 17, 2024.

1. Criteria for identifying critical ICT third-party service providers

Article 31 DORA sets out initial criteria that characterize a critical ICT third-party service provider. These are now being supplemented by the ESAs with quantitative and qualitative factors that should make it easier to clearly classify them into the category. Thresholds are also defined that must at least be exceeded in order to be considered a critical ICT third-party service provider.
To this end, the ESAs propose the following procedure:

  1. Assessment of service providers against a minimum standard;
  2. Assessment of remaining service providers against further criticality indicators to identify critical ICT third-party service providers within the EU.

In this first section of the paper, the authors raise a number of questions that will be addressed in the comments. These include, among other topics, what obstacles and challenges market participants see in the identification process.
Finally, the ESAs present the various factors among those mentioned in DORA that they consider relevant for classification. They provide the reader with context and – where relevant – present the minimum threshold that must be exceeded.

2. Calculation and payment of supervision fees

In Article 43, DORA defines that supervised critical third-party ICT service providers must pay a supervisory fee to cover the costs of supervision. To this end, the ESAs are to define details on the calculation and method of payment. Due to a lack of information on the number of critical ICT third-party service providers and these service providers in general and their services, this has proven to be a challenge. Therefore, the ESAs first consider the scope of the fees with a focus on the estimated supervisory expenses and their adjustment. The paper then looks at the calculation methodologies used to calculate the actual fee, before turning to the payment of the fee by service providers. Finally, the ESAs address how to deal with the opt-in clause under Article 31(11) DORA.
In the second section, the authors also raise questions and ask market participants to respond to them.

The ESAs’ discussion paper can be found here on the EBA website.

First wave of delegated acts

The ESAs have published the first wave of RTS and ITS under DORA and consulted on them by September 11, 2023. The final publication date of these legal acts is planned for January 17, 2024.

The contents of the drafts were criticized by some market participants. Among other things, the proportionality of the requirements is being questioned.

Some statements can be found here: BVI, DK, Insurance Europe.

1. RTS on guidelines for contractual relationships with third-party ICT service providers for critical and important functions

In this draft, the ESAs approach the topic of guidelines for contractual relationships with third-party ICT service providers for critical and important functions (CI functions), Art. 28 para. 10 DORA. The basic idea behind the requirements is the approach known from existing outsourcing regulations, namely that the ultimate responsibility for the function remains with the institution.

Internal responsibility for the service relationship must therefore be clearly assigned to different corporate functions. The guidelines enable comprehensive management of operational risk in the context of the relationship with third-party ICT service providers for CI functions. Accordingly, they cover the entire life cycle of such a relationship and address governance, risk management and the internal control system, among other things. However, financial companies should also ensure that their service providers have sufficient resources and capacities to meet contractual and supervisory requirements. Overall, the ESAs do not make a fundamental distinction between internal and external service providers, but address all third-party ICT service providers for CI functions.

The RTS consultation can be found here on the ESMA website.

2. ITS for the information register on ICT services

The draft ITS includes templates for an information register of contractual relationships for the provision of ICT services by third-party ICT service providers, Art. 28 para. 9 DORA. The register is intended to support financial institutions in appropriately managing risks arising from service relationships and to make it easier for supervisory authorities to monitor dependencies between institutions and service providers. The templates also create a basis for common minimum contractual content that must be adequately taken into account in the risk management process together with the necessary information from the institution’s register.
The information requirements take into account the degree of dependency on the service provider and are therefore inherently proportional. Depending on how dependent an institution is on its service provider, additional information is required, for example on risk assessment, the supply chain or sub-outsourcing. The supervisory practice of various authorities, empirical values from previous data aggregations and the exchange of data between financial companies, the supervisory authorities and the Supervisory Forum were also taken into account when drawing up the guidelines.

The ITS consultation can be found here on the ESMA website.

3. RTS for the classification of critical ICT incidents and threats

With these RTS, the ESAs consider the classification of significant ICT incidents and threats, Art. 18 para. 3 DORA. First, the ESAs address the various criteria used to classify ICT incidents, such as data loss or critical functions of the institution affected. At the same time, they consider the requirements for the materiality threshold. They propose weighting the criteria differently in order to take account of the principle of proportionality.

In addition to critical ICT incidents, ICT threats are also addressed. The criteria used are the probability of occurrence, the potential impact on critical and important functions and the fulfillment of the criteria for a significant incident if the threat materializes.

The RTS consultation can be found here on the ESMA website.

4. RTS on ICT risk management with a focus on tools, methods, processes and guidelines

These RTS bundle the harmonization of ICT risk management tools, methods, processes and guidelines, Art. 15 and 16 para. 3 DORA. The ESAs have decided to bundle the requirements for the “normal” and the simplified risk management process in one specification due to the similarity of the topics.

In the course of the RTS, the ESAs take a closer look at the various components of the DORA requirements for risk management and elaborate on them. Starting with governance, they work their way through the DORA requirements via risk management, asset management, encryption and cryptography, operational security, network security, project and change management, physical security, training and awareness training, human resources, identity and access management, dealing with ICT incidents, business continuity management and reporting. The simplified risk management framework takes a correspondingly reduced approach.

Existing frameworks, such as the EBA guidelines on ICT and security risk management from 2019 and the NIS2 directive, have been incorporated into the requirements. They are to be seen as complementary requirements to DORA itself, whereby the great importance of the requirements must be emphasized.

The RTS consultation can be found here on the ESMA website.

Second wave of delegated acts

The ESAs have published the second wave of RTS and ITS under DORA. The final publication date of these legal acts is planned for July 17, 2024.
The contents of the drafts will be consulted with market participants from December 8 to March 4, 2024.

1. RTS on threat-based penetration testing (TLPT)

The DORA requires certain financial institutions to perform advanced testing with the TLPT at least every three years.

The RTS detail the criteria for determining which financial entities must conduct TLPT, the requirements and standards for the use of internal auditors, the requirements relating to the scope, testing methodology and approach for each phase of testing, the results, completion and remediation, and the type of supervisory and other relevant cooperation required to conduct TLPT and facilitate mutual recognition.

2. RTS on the subcontracting of critical or important functions

The draft contains specifications for the implementation of subcontracting of ICT services that support critical or important functions. The RTS thus focuses on ICT services that support critical or important functions or essential parts thereof that are provided by ICT subcontractors.

In doing so, the draft follows the lifecycle of agreements between financial entities and third-party ICT service providers when subcontracting and sets out the key requirements for financial entities to use such subcontractors. These include the following:

  • the risk assessment that must be carried out before approving the subcontracting of ICT services related to critical or important functions,
  • requirements for the contractual agreements,
  • the monitoring of subcontracting agreements,
  • notification of significant changes and
  • exit and termination rights.

3. RTS and ITS on content, deadlines and templates for reporting incidents

The RTS draft deals with three aspects:

  1. Content of the notification for serious incident reports;
  2. Deadlines for submitting an initial report and interim and final reports;
  3. Content of the notification of significant cyber threats.

In doing so, it takes into account the approach to incident reporting set out in the NIS2 Directive.

As far as reporting deadlines are concerned, the draft proposes harmonized deadlines for all financial companies:

  • Initial report: within 4 hours of classification as a serious incident, but no later than 24 hours after its discovery
  • Interim report: within 72 hours of classification or when regular activities have resumed and business operations are back to normal
  • Final report: no later than 1 month after classification.

Templates and formats for these reports can be found in the integrated ITS, which also contains the general reporting requirements.

With regard to the content of the reports on serious incidents, the draft aims to find a balance that allows the competent authorities to obtain the essential information without overburdening financial companies with a heavy reporting burden. With regard to significant cyber threats, the draft provides for a short, simple and concise content of the reports.

4. Guidelines on aggregated costs and losses for significant incidents

The draft guidelines set out the estimate of the aggregate annual costs and losses caused by major ICT-related incidents. The calculation of annual costs and losses under the guidelines is aligned with the assessment of the costs and losses of each individual incident under the RTS on incident reporting.

In particular, the guidelines provide for the reporting of gross costs and losses, financial recoveries and net costs and losses following major ICT-related incidents. The guidelines also propose to focus the reference period for aggregation on one financial year in order to be able to rely on available figures from the validated financial statements.

5. RTS for the harmonization of monitoring

The draft aims to harmonize the requirements in all regulations and introduce efficient supervisory conditions for critical third-party service providers, financial companies and supervisory authorities throughout the EU. This is intended to avoid fragmentation of legislation and at the same time ensure the stability of the financial sector.

6. Guidelines for cooperation between the ESAs and the competent authorities in supervision

The draft guidelines only refer to the cooperation and exchange of information between the ESAs and competent authorities. Cooperation with financial firms, critical third party ICT providers, competent authorities with each other, between the ESAs and with other EU institutions is therefore outside the scope of the guidelines.

It covers the following four areas:

  • General considerations
  • Designation of critical third-party ICT providers
  • Monitoring activities
  • Follow-up to the recommendations

We at ADWEKO are happy to provide you with our expertise!

talk to

Pia Streicher

Pia Streicher