IT Security Regulatory Update | December 2023

Focus: RTS & ITS for DORA, use of cloud services and third-party risk management

Highlight from December 2023

Second wave of RTS & ITS for DORA published

The ESAs published the second wave of technical regulatory and implementation standards (so-called RTS and ITS) in mid-December. This means that all detailed legal acts under DORA are now available in draft form and can be used for implementation.

Pia Streicher

“Stay up to date with our monthly regulatory update on IT Security Management!”

DORA: ICT incidents, pentration tests and subcontracting

The ESAs have published the second wave of RTS and ITS under DORA. The final publication date for these legal acts of the second wave is scheduled for July 17, 2024, with the first wave to be submitted to the Commission on January 17, 2024.
The contents of the drafts will be consulted with market participants from December 8 to March 4, 2024.
As with the first wave, the ESAs have also published an overview document in addition to the legal acts.

The RTS and ITS focus on the following topics:

  1. RTS and ITS on content, deadlines and templates for reporting significant ICT-related incidents
  2. Guidelines on aggregated costs and losses for significant ICT-related incidents
  3. RTS with specifics on threat-based penetration testing (TLPT)
  4. RTS on the subcontracting of critical or important functions
  5. RTS for the harmonization of monitoring
  6. Guidelines for cooperation between the ESAs and the competent authorities

Further details can be found on our web pages about DORA. We look forward to your visit!

DORA checklist

With the publication of this second wave, financial firms now have all the in-depth information at draft stage that can be expected before the DORA comes into force in January 2025.

You can find an overview of the ESAs here on the ESMA website.
The RTS and ITS as well as guidelines can be found here on the ESMA website.

Source: European Security and Markets Authority – ESMA,

Cloud use in accordance with BAIT

At its meetings in November 2023, BaFin’s special expert committee on IT dealt with the legally compliant use of cloud services with a focus on IT emergency management and the exit process. In both cases, the panel participants point out that the statements made reflect the status and may be subject to change over time.

1. IT emergency management

Particularly challenging for institutions is the lack of detailed information on the specific IT components used and often only standardized emergency measures by the service provider. In addition, virtualization has changed circumstances that also require rethinking the necessary regulatory measures.

In general, the committee upholds the outsourcing institution’s responsibility for emergency management. The abstraction boundary of the CMDB is also the boundary of the responsibility of the institution vs. the service provider. The financial company must therefore address the architectural, geographical, and service configurations of the cloud services and cloud applications in the emergency concept. Emergency tests below the abstraction boundary do not have to be temporally or logically dependent on those of the financial company. An exchange about results – especially if these indicate gaps beyond the abstraction limit – keeps providers and financial companies informed. However, the evidence provided by the cloud provider does not have to be customer specific.

2. Exit strategies

The creation of exit strategies, plans and tests is fundamentally complex. Financial companies can use the general and specific characteristics of an exit as a guide. The specific properties include, for example a high level of standardization, a lack of interoperability and concentration risks.

In general, it should be considered whether an exit could have a significant negative impact on operations. Depending on this, exit plans must be defined and operationalized. Specific risks from the risk analysis, the time horizon and service provider specifics must be considered. During the regular review, the operationalizability is to be scrutinized and adjustments are to be made if necessary.

The minutes of BaFin’s Special IT Committee on IT emergency management can be found here, the minutes on exit strategies here on the BaFin website.

Source: © German Federal Financial Supervisory Authority /

FSB publishes final report on third party risk management

In response to concerns about the risks associated with outsourcing and third party relationships, the FSB has developed a toolkit for financial authorities and financial institutions to improve their risk management and oversight of third parties. The FSB has now presented this in its final report.

The final report includes common terms and definitions, tools for identifying critical services and potential risks as well as instructions for the supervisory authorities on how to deal with these and systemic risks. Existing standards and guidelines are considered or supplemented, but not replaced.

You can find the FSB’s final report here on its website.

Source: Financial Stability Board, c/o Bank for International Settlements, Basel, Switzerland –

The time for implementing DORA is running out. In various events, the supervisory authorities are calling on financial companies to stop waiting with the implementation. Especially with the publication of the second wave of RTS & ITS, institutions should become – or better yet stay – active.

Would you like an initial indication of the implementation in your company?
Take advantage of our limited special offer for a free DORA Quick Check!

We at ADWEKO are happy to assist you with the implementation of DORA.

talk to
Pia Streicher!

Pia Streicher