The European Supervisory Authorities (ESAs) – the combined agencies covering the banking, insurance, pensions and securities markets across the EU – have launched a public consultation on the first batch of draft technical standards for the EU’s Digital Operational Resilience Act (DORA).
The act, which entered into force on January 16th 2023, aims to enhance the digital resilience of entities across the EU financial sector and will apply from 17 January 2025. The ESAs, which are composed of the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA), were tasked with jointly developing 13 policy documents that will form the framework for DORA.
The four draft technical standards which have now been released are:
-
Regulatory technical standards on ICT risk management frameworks and simplified ICT risk management frameworks, which cover a broad range of concerns including: security, governance, ICT risk management, ICT change management, incident detection and response and outage continuity policies (full document available here).
-
Regulatory technical standards on the criteria for the classification of ICT-related incidents, which focus on incident response procedure, materiality thresholds, approaches to recurring incidents, economic impact of incidents and data losses (full document available here).
-
Regulatory technical standards to specify the policy on ICT services performed by ICT third-party providers, covering the provision of critical ICT services by third parties, ex-ante risk assessment and contractual issues (full document available here).
-
Implementing technical standards to establish the templates for the register of information, which outline the requirements for institutions implementing ICT policy (full document available here).
The consultation, details of which can be found here, is open to all interested stakeholders and runs until September 11, 2023.