In brief
The EU’s Digital Operational Resilience Act (DORA) aims to promote, improve and ensure operational resilience within the financial services sector. It comes into effect on 17 January 2025. Last month, six months into the two-year implementation period, the European Supervisory Authorities (ESAs) published a consultation package regarding the first batch of certain draft regulatory technical standards (RTS) and draft implementing technical standards (ITS) on certain aspects of DORA.
The package includes:
Draft RTS on the risk management framework that financial institutions (FIs) are required to introduce.
If finalised, this RTS would require FIs to ensure that their ICT policies, including information security policies, are embedded into the FI’s ICT risk management framework.
Additionally, FIs would need to ensure that there are proper governance measures and reporting lines in place to enable the FI’s management body to properly oversee and supervise the FI’s risk management framework.
Furthermore, the FI will need to ensure that the risk management framework and the various policies that form the framework should be made with a view to protecting network and data security, and guaranteeing an accurate and prompt data transmission without major disruptions and undue delay.
Draft RTS regarding the classification of ICT-related incidents.
The draft RTS provides an indication as to how FIs will be required to classify incidents as major. This will involve a two-staged test focused on primary and secondary criteria.
Under the present draft, the primary criteria include: (i) clients, financial counterparts and transactions; (ii) data losses; and (iii) critical services affected. The other criterion that is specified in Art. 18 of DORA would be treated as a secondary criterion, on the basis that, in the ESAs’ view, these are ancillary to the primary factors. Each factor will have its own classification thresholds – these are effectively a threshold that the incident will need to meet in order for the criterion to apply.
The ESAs have proposed to classify incidents as major if the classification thresholds of at least two primary criteria have been met, or at least three secondary criteria are met.
It should be noted that different criteria have different materiality thresholds. As such, it could be quite an extensive process to identify whether an ICT-related incident is material or not, as each different criterion will need to be assessed against its own materiality threshold.
Draft RTS specifying the content of the policy relating to the contractual arrangements on the use of ICT services supporting critical or important functions.
The draft RTS sets out requirements for the policy that FIs are required to have in place under Art. 28(2) of DORA.
Broadly, the policy would require FIs to introduce certain governance arrangements, carry out risk assessments and carry out due diligence into third-party ICT providers. The draft RTS sets out the ESAs’ current expectations in relation to these obligations.
The ESAs propose to treat third-party services providers and ICT intragroup service providers in the same way. In the ESAs’ view the requirements applicable to both types of providers are similar, even if the specific risks are different.
Draft ITS to establish the register of third-party ICT services.
This draft ITS provides the current draft templates on the register of information that FIs are required to keep on third-party ICT services under Art. 28(3) of DORA.
Broadly, the information required to be registered includes details on the FI maintaining the register, the contractual arrangements in place, details on the third-party services provider, details on whether alternative services are available, and classification of the relevant services. Generally, the information contained within the register aligns with what we would expect to see included under Art. 28(3).
The deadline for responses to this consultation package is 11 September 2023. The ESAs have made clear that all responses will be published unless requested otherwise. Following this, the final versions of these RTS and ITS are expected to be published in January 2024.
The next stage after this will be for the ESAs to consult on the second batch of RTS, including:
Guidelines on how losses caused by major ICT incidents should be estimated
How major ICT incidents are to be reported to relevant regulators
Specifications for the threat-led penetration testing that FIs are required to carry out as part of their operational resilience obligations
Subcontracting ICT services that support critical functions and documents relating to the direct oversight regime for critical ICT third-party providers (CTPPs)
The ESAs have also previously consulted on the direct oversight regime for CTPPs, focused on both the CTPP assessment criteria and the fees CTPPs are required to pay. This discussion paper suggested that the ESAs’ assessment of CTPPs will be through a two-stage test. Step one proposed indicators of a quantitative nature, which are to be assessed against minimum thresholds. Step two used indicators of a qualitative nature, which were designed to allow for a more granular assessment of the ICT provider. Only those providers which pass stage one would move onto stage two.
Step one factors vary between the different Art. 31(2) assessment criteria, but broadly include the number of financial entities served, the number of systemically important financial entities served, and the number of critical or important functions supported. Certain de minimis thresholds are set, below which ICT firms will not be caught by the CTPP designation. Many of these de minimis thresholds are set at 10% or less of the total value of assets/total assets equivalent per type of financial entity within the EU.
The de minimis thresholds indicate that a fair number of ICT providers would not amount to a CTPP, which aligns with the legislative intentions behind the direct oversight regime (i.e., to ensure that only the most systemic and important of ICT providers were subject to direct regulatory oversight).
The discussion paper also considered the amount of fees that CTPPs should pay as part of the direct oversight regime, which are designed to enable the ESAs recover the costs of operating the direct oversight regime. The ESAs have estimated that DORA oversight expenditure will amount to at least EUR 693,000 in 2025, EUR 2,553,000 in 2026 and EUR 2,683,000 in 2027 – but the discussion paper further indicated that these amounts are likely to be an underestimate as not all relevant tasks have been identified.
Art. 43 of DORA makes it clear that the amount a CTPP should pay will be based on their turnover. The ESAs have noted that they will need access to accounts within applicable deadlines to calculate the specific fees for each CTPP – but they expect that this will be manageable for CTPPs as they should be, in the ESAs’ view “well-established companies”. The ESAs also proposed that revenues generated by “all services” of the CTPPs should be considered in-scope when determining the oversight fee, but with a limitation to just EU based activities (including services provided into the EU from a third country). This is due to the risk that CTPPs will not have a harmonised approach on the definition of revenue.
To calculate the amount of fees, the ESAs propose using applicable turnover of the relevant CTPP divided by the total applicable turnover of all CTPPs, with a minimum fee fixed at EUR 50,000 to ensure that all CTPPs effectively pay, what the ESAs consider to be, their fair share. Payments are proposed to be collected once a year by the end of April each year to be invoiced and paid in Euros.
The deadline for responses expired in June. It is expected that the feedback to this discussion paper will form a part of the technical advice that the ESAs are required to submit to the European Commission in September 2023.
If you are a financial institution and would like assistance with ensuring your firm is compliant with DORA before the implementation window expires, our experts stand ready to help. Likewise, if you are an ICT provider and you want to understand what DORA means for you, or you are concerned that you could be deemed a ‘critical’ provider and be directly subject to financial services regulation, we can help you carry out a DORA impact assessment. Please contact our DORA leads above for further assistance.
