Since our last newsletter in which we reported on the Digital Operational Resilience Act Regulation (EU) 2022/2554 (“DORA”) and Directive (EU) 2022/2556 (the “Directive”), in particular the enactment of the Luxembourg national law to transpose same, there have been several developments concerning the efforts to achieve DORA’s main objective of greater digital operational resilience in the financial sector of the European Union.
Second batch of policy products
Shortly after our last newsletter, on 17 July 2024, the EBA, EIOPA and ESMA (the “ESAs”) published the second batch of policy products under DORA, including Regulatory Technical Standards (RTS), Implementing Technical Standards (ITS) and Guidelines, whereby the guidelines have already been adopted by the Boards of Supervisors of each of the ESAs. The final draft RTS and ITS have been submitted to the European Commission (EC) for review, with the aim of formally adopting them in the coming months, ahead of DORA’s application deadline, which is 17 January 2025. The aim of these policy products is to strengthen the digital operational resilience of the EU’s financial sector, while ensuring the continuous delivery of financial services and safeguarding customers data, with particular focus on the reporting framework for Information and Communication Technology (ICT) related incidents and threat-led penetration testing.
The ESAs have published the following:
- RTS & ITS on reporting major ICT-related incidents and significant cyber threats
- RTS on:
- harmonization of rules regarding oversight activities
- composition criteria of the joint examination team (JET)
- Threat-Led Penetration Testing (TLPT)
- Guidelines on:
- the estimation of aggregated costs/losses caused by major ICT-related incidents
- oversight cooperation
Final report
On 26 July 2024, the ESAs issued their final set of RTS in form of a joint Final Report, completing the regulatory framework under DORA. The standards aim to enhance the digital operational resilience of the EU’s financial sector by improving ICT risk management practices in relation to subcontracting, including requirements for financial entities to establish and manage contractual agreements for subcontracting ICT services that support critical or important functions, as outlined in DORA. Financial entities must assess risks during the pre-contractual phase, conduct appropriate due diligence, and maintain effective oversight throughout the subcontracting lifecycle.
Rejection of ITS on register of information (first batch of policy products)
The ESAs have issued an opinion in response to the EC’s rejection on the draft ITS on registers of information concerning contractual arrangements with ICT third-party service providers as introduced by Art. 28 DORA. The rejection was based on the requirement for financial entities to exclusively use the Legal Entity Identifier (LEI) to identify ICT third-party service providers, with the EC proposing the additional use of the European Unique Identifier (EUID). Considering that the ITS will affect how financial entities manage and update their ICT service contracts, the ESAs expressed concerns that introducing the EUID alongside the LEI would add additional complexity to the identification process and reporting conditions, as well as unnecessary implementation costs. They also expressed concerns about the potential negative impact on the designation of CTPPs as envisaged in 2025. Should the EUID be adopted, the ESAs propose that LEI should remain the primary identifier to ensure consistency, particularly within financial groups. ESMA launched a survey to gather insights from financial market participants regarding their use of LEIs, especially under DORA and other EU regulations.
The ESAs urge financial entities to prepare for DORA’s reporting requirements.
TIBER-EU framework
The European Central Bank (ECB) published a paper on the TIBER-EU framework, which offers tailored, intelligence-led tests that simulate real-life cyberattacks on financial entities' key systems in a controlled environment. The framework is designed to assess and enhance cyber resilience of participating financial entities. According to the ECB, implementing the TIBER-EU framework will help national competent authorities and financial entities in meeting the requirements outlined in DORA, specifically threat-led penetration testing (TLPT).
Other developments
In addition to the above, there have been various other ancillary developments including:
- on 1 October 2024, the ESAs announced the appointment of Marc Andries as director to lead their joint oversight responsibilities under DORA. Andries will oversee critical third-party providers (CTPPs) at a pan-European level and will be responsible for implementing an oversight framework that ensures the resilience and stability of critical ICT CTPPs across the EU financial sector;
- the ESAs are establishing the EU Systemic Cyber Incident Cordination Framework (EU-SCICF) under DORA to improve the financial sector's response to cyber incidents that threaten financial stability. This framework will enhance coordination among EU financial authorities and international actors during cyber crises. A secretariat, forum, and crisis coordination body will be set up to implement and test the framework. They will also report any legal or operational challenges to the EC;
- the ECB published a revised version of the Eurosystem cyber resilience, expanding its scope beyond financial market infrastructures to include entities overseen under the PISA framework, the strategy seeks to enhance cyber resilience across the EU’s financial sector. The updates align with DORA’s broader goals of harmonizing IT security and rules on operational resilience. The new provisions aim to ensure continuous improvement and standardized implementation across jurisdictions.
The DORA legal and regulatory train is speeding ahead, showing no signs of slowing down. Financial institutions must stay sharp to navigate these significant changes and ensure compliance.
Share on
