DIGITAL Operational RESILIENCE | Current status of the delegated acts

In Article 43, DORA defines that supervised critical third-party ICT service providers must pay a supervisory fee to cover the costs of supervision. To this end, the ESAs are to define details on the calculation and method of payment. Due to a lack of information on the number of critical ICT third-party service providers and these service providers in general and their services, this has proven to be a challenge. Therefore, the ESAs first consider the scope of the fees with a focus on the estimated supervisory expenses and their adjustment. The paper then looks at the calculation methodologies used to calculate the actual fee, before turning to the payment of the fee by service providers. Finally, the ESAs address how to deal with the opt-in clause under Article 31(11) DORA.
In the second section, the authors also raise questions and ask market participants to respond to them.

The ESAs’ discussion paper can be found here on the EBA website.

The draft ITS includes templates for an information register of contractual relationships for the provision of ICT services by third-party ICT service providers, Art. 28 para. 9 DORA. The register is intended to support financial institutions in appropriately managing risks arising from service relationships and to make it easier for supervisory authorities to monitor dependencies between institutions and service providers. The templates also create a basis for common minimum contractual content that must be adequately taken into account in the risk management process together with the necessary information from the institution’s register.
The information requirements take into account the degree of dependency on the service provider and are therefore inherently proportional. Depending on how dependent an institution is on its service provider, additional information is required, for example on risk assessment, the supply chain or sub-outsourcing. The supervisory practice of various authorities, empirical values from previous data aggregations and the exchange of data between financial companies, the supervisory authorities and the Supervisory Forum were also taken into account when drawing up the guidelines.

The ITS consultation can be found here on the ESMA website.

With these RTS, the ESAs consider the classification of significant ICT incidents and threats, Art. 18 para. 3 DORA. First, the ESAs address the various criteria used to classify ICT incidents, such as data loss or critical functions of the institution affected. At the same time, they consider the requirements for the materiality threshold. They propose weighting the criteria differently in order to take account of the principle of proportionality.

In addition to critical ICT incidents, ICT threats are also addressed. The criteria used are the probability of occurrence, the potential impact on critical and important functions and the fulfillment of the criteria for a significant incident if the threat materializes.

The RTS consultation can be found here on the ESMA website.

These RTS bundle the harmonization of ICT risk management tools, methods, processes and guidelines, Art. 15 and 16 para. 3 DORA. The ESAs have decided to bundle the requirements for the “normal” and the simplified risk management process in one specification due to the similarity of the topics.

In the course of the RTS, the ESAs take a closer look at the various components of the DORA requirements for risk management and elaborate on them. Starting with governance, they work their way through the DORA requirements via risk management, asset management, encryption and cryptography, operational security, network security, project and change management, physical security, training and awareness training, human resources, identity and access management, dealing with ICT incidents, business continuity management and reporting. The simplified risk management framework takes a correspondingly reduced approach.

Existing frameworks, such as the EBA guidelines on ICT and security risk management from 2019 and the NIS2 directive, have been incorporated into the requirements. They are to be seen as complementary requirements to DORA itself, whereby the great importance of the requirements must be emphasized.

The RTS consultation can be found here on the ESMA website.

The draft contains specifications for the implementation of subcontracting of ICT services that support critical or important functions. The RTS thus focuses on ICT services that support critical or important functions or essential parts thereof that are provided by ICT subcontractors.

In doing so, the draft follows the lifecycle of agreements between financial entities and third-party ICT service providers when subcontracting and sets out the key requirements for financial entities to use such subcontractors. These include the following:

• the risk assessment that must be carried out before approving the subcontracting of ICT services related to critical or important functions,
• requirements for the contractual agreements,
• the monitoring of subcontracting agreements,
• notification of significant changes and
• exit and termination rights.

The RTS draft deals with three aspects:

1. Content of the notification for serious incident reports;
2. Deadlines for submitting an initial report and interim and final reports;
3. Content of the notification of significant cyber threats.

In doing so, it takes into account the approach to incident reporting set out in the NIS2 Directive.

As far as reporting deadlines are concerned, the draft proposes harmonized deadlines for all financial companies:

• Initial report: within 4 hours of classification as a serious incident, but no later than 24 hours after its discovery
• Interim report: within 72 hours of classification or when regular activities have resumed and business operations are back to normal
• Final report: no later than 1 month after classification.

Templates and formats for these reports can be found in the integrated ITS, which also contains the general reporting requirements.

With regard to the content of the reports on serious incidents, the draft aims to find a balance that allows the competent authorities to obtain the essential information without overburdening financial companies with a heavy reporting burden. With regard to significant cyber threats, the draft provides for a short, simple and concise content of the reports.

The draft guidelines set out the estimate of the aggregate annual costs and losses caused by major ICT-related incidents. The calculation of annual costs and losses under the guidelines is aligned with the assessment of the costs and losses of each individual incident under the RTS on incident reporting.

In particular, the guidelines provide for the reporting of gross costs and losses, financial recoveries and net costs and losses following major ICT-related incidents. The guidelines also propose to focus the reference period for aggregation on one financial year in order to be able to rely on available figures from the validated financial statements.

The draft aims to harmonize the requirements in all regulations and introduce efficient supervisory conditions for critical third-party service providers, financial companies and supervisory authorities throughout the EU. This is intended to avoid fragmentation of legislation and at the same time ensure the stability of the financial sector.

The draft guidelines only refer to the cooperation and exchange of information between the ESAs and competent authorities. Cooperation with financial firms, critical third party ICT providers, competent authorities with each other, between the ESAs and with other EU institutions is therefore outside the scope of the guidelines.

It covers the following four areas:

• General considerations
• Designation of critical third-party ICT providers
• Monitoring activities
• Follow-up to the recommendations