DIGITAL Operational RESILIENCE | Current status of the delegated acts

We have screened the regulation to survey affected companies and the associated implementation effort, and to identify the implementation timeline. We will keep you up to date on the pending delegated acts here.

ESAs Address Critical ICT Third-Party Service Providers Under DORA.

The ESAs approached market participants with a discussion paper at the end of May 2023 to consider their input in advice to be submitted to the EU Commission by September 30, 2023. Addressed are critical ICT third-party service providers, specifically the criteria for their identification as well as the supervisory fees they are required to pay. Delegated regulations on both are to be submitted to the Commission by July 17, 2024.
Comments on the discussion paper will be accepted by the ESAs until June 23, 2023.

1. Criteria for identifying critical ICT third-party service providers.

Article 31 of DORA provides initial criteria that distinguish a critical ICT third-party service provider. These are now supplemented by the ESAs with supplemented that should make it easier to clearly categorize. Thresholds are also defined that must be exceeded as a minimum in order to be considered a critical ICT third-party service provider.
To that end, the ESAs propose the following approach:

  1. Evaluation of service providers against a minimum standard;
  2. Assessment of remaining service providers against further criticality indicators to identify the critical ICT third-party service providers within the EU.

Regarding this first section of the paper, the authors raise some questions that will be readily addressed in the comments. This includes, among other topics, what obstacles and challenges market participants see in the identification process.
Finally, the ESAs present the various factors among those identified in DORA that they consider relevant to the classification. They provide the reader with context for this and – where relevant – present the minimum limit that must be exceeded.

2. Calculation and payment of supervision fees

In Article 43, DORA defines that supervised critical ICT third-party service providers must pay a supervision fee to cover the costs of supervision. For this purpose, the ESAs are to define details of the calculation and the method of payment. In the absence of information on the number of critical ICT third-party service providers and these service providers in general and their services, this has proved to be a challenge. First, therefore, the ESAs look at the scope of fees with a focus on estimated oversight expenses and how they are adjusted. The paper then addresses the calculation methodologies to calculate the actual fee before turning to the payment of the fee by service providers. Finally, the ESAs address the handling of the opt-in clause under Article 31(11) DORA.
In the second section, the authors also raise questions and ask market participants to respond to them.
The discussion paper of the ESAs can be found here on the EBA website.

ESAs provide first wave of RTS and ITS under DORA for consultation

The ESAs have published the first wave of RTSs and ITSs under DORA and are making them available for consultation until September 11, 2023. The final publication date of these acts will be January 17, 2024. About our website on digital operational resilience we will be happy to keep you up to date. An overview of the published and pending RTSs and ITSs can be found here on the EBA website.

3. RTS on guidelines for contractual relationships with ICT third-party service providers for critical and important functions.

In this draft, the ESAs approach the issue of guidelines for contractual relationships with ICT third-party service providers for critical and important functions (CI functions), Art. 28 para. 10 DORA. The basic idea behind the requirements is the approach familiar from existing regulations surrounding outsourcing, namely that ultimate responsibility for the function remains with the institution.
Internal responsibility for the service relationship must therefore be clearly assigned to different corporate functions. The guidelines enable comprehensive management of operational risk in the context of the relationship with third-party ICT service providers for CI functions. Accordingly, they address the entire lifecycle of such a relationship, including governance, risk management and the internal control system. In doing so, however, financial firms should also ensure that their service providers maintain sufficient resources and capacity to meet contractual and regulatory requirements. Overall, the ESAs do not make a fundamental distinction here between intragroup and external service providers, but address all third-party ICT service providers for CI functions.
You can find the consultation of the RTS here on the ESMA website.

4. ITS for the information register on ICT services

The draft ITS includes templates for an information register of contractual relationships for the provision of ICT services by ICT third-party service providers, Art. 28 para. 9 DORA. The registry is designed to help financial firms appropriately manage risks arising from service relationships and to help supervisors monitor interdependencies between institutions and service providers. The templates also provide a basis for common minimum contractual content to be sufficiently considered in the risk management process together with the necessary information from the institution’s register.
Information requirements take into account the degree of dependence on the service provider and are therefore inherently proportional. Depending on how dependent an institution is on its service provider, additional information is required, for example. necessary for risk assessment, the supply chain or subcontracting. In preparing it, consideration was also given to the supervisory practices of various authorities, empirical values from data aggregations that have already taken place, and the exchange of data between financial companies, the supervisory authorities and the supervisory forum.
You can find the consultation of the ITS here on the ESMA website.

5. RTS for the classification of critical ICT incidents and threats.

With these RTSs, the ESAs consider the classification of significant ICT incidents and threats, Art. 18 para. 3 DORA. To this end, the ESAs first address the various criteria used to classify ICT incidents, such as data loss or critical functions of the institution affected. At the same time, they consider the requirements for the materiality threshold. They propose that the criteria be weighted differently in the process in order to take account of the principle of proportionality.
In addition to critical ICT incidents, ICT threats are also addressed. The criteria used are the probability of occurrence, the potential impact on critical and important functions, and the fulfillment of the criteria of a significant incident in the event that the threat materializes.
You can find the consultation of the RTS here on the ESMA website.

6. RTS on ICT risk management with a focus on tools, methods, processes and guidelines.

These RTS take up the harmonization of ICT risk management tools, methods, processes and guidelines in a bundled manner, Art. 15 and 16 para. 3 DORA. The ESAs have chosen to combine the requirements for the “normal” and simplified risk management processes into one requirement due to the subject matter similarity.
As part of the RTS, the ESAs are taking a closer look at and elaborating on the various components of DORA’s risk management requirements. Starting with governance, they work their way once through the requirements of the DORA via risk management, asset management, encryption and cryptography, operational security, network security, project and change management, physical security, training and awareness training, human resources, identity and access management, ICT incident handling, business continuity management and reporting. The simplified risk management framework takes a correspondingly reduced form.
The requirements incorporate existing frameworks, such as the 2019 EBA Guidelines on ICT and Security Risk Management and the NIS2 Directive. They should be seen as complementary specifications to DORA itself, and the high importance of the specifications should be emphasized.
You can find the consultation of the RTS here on the ESMA website.

We at ADWEKO are happy to provide you with our expertise!

talk to

Pia Streicher

Pia Streicher