Legal Updates

The Digital Operational Resilience Act (DORA) creates a harmonised regulatory framework strengthening the information and communication technology (ICT) security of financial entities. DORA entered into force on 16 January 2023 and will apply to in-scope financial services entities from 17 January 2025. For further information, please refer to our previous briefings on the topic available here and here.

The European Supervisory Authorities[1] (the ESAs) have been tasked with developing technical standards implementing the new DORA framework.

On 8 December 2023, the ESAs published the second batch of policy mandates in respect of Articles 11(11), 20a, 20b, 26(11), 30(5), 32(7) and 41 of DORA. This includes consultation papers in respect of the following standards:

• Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents (Article 11(11)), available here;
• Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) on content, timelines and templates on incident reporting (Articles 20a and 20b), available here;
• RTS on threat-led penetration testing (TLPT) (Article 26(11)), available here;
• RTS on subcontracting of critical or important functions (Article 30(5)), available here;
• Guidelines on oversight cooperation between ESAs and competent authorities (Article 32(7)), available here; and
• RTS on oversight harmonisation (Article 41), available here.

Market participants have been invited to provide their feedback on the draft technical standards by responding to the questions posed in the consultation papers.

The ESAs have also published an Introductory Note providing an overview of the consultation papers, available here.

Publication of the second batch of policy mandates follows publication of the first batch on 19 June 2023 in respect of Articles 15, 16(3), 18(3), 28(9) and 28(10). Please see our briefing on the first batch of policy mandates, available here.

Next Steps

The public consultation on the second batch of policy mandates remains open until 4 March 2024. The various legal instruments will be finalised by the ESAs and submitted to the European Commission by 17 July 2024.

Firms within the scope of DORA are encouraged to start preparing for its application by identifying any gaps in their ICT governance and processes and consider which of their service providers are likely to be considered critical. The requirements include (among others) a requirement for the implementation of certain contractual provisions into contracts for the provision of ICT services. Contracts with third-party providers supporting critical or important functions are subject to more comprehensive requirements than those third-party providers supporting other functions.

If you have any queries about the information contained in this article, please contact the authors or your usual Dillon Eustace contact.

Footnotes:

[1] The European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA).