The upcoming arrival of the Digital Operational Resilience Act (DORA) on 17 January 2025 will end the fragmentation of legal obligations for ICT processes and security. By then, financial entities will be required to be fully compliant with both DORA and related regulatory technical standards. Some specific parts of DORA still need to be further developed in level 2 and level 3 legislation. These levels represent more detailed rules and elaborations of the obligations set out in the law.
On 8 December, the European regulators (EBA, ESMA, and EIOPA, collectively referred to as the ‘ESAs’) published the second set of draft implementing technical standards. This second set of standards includes four ‘Regulatory Technical Standards’ (RTS), which provide specific technical requirements, one ‘Implementing Technical Standard’ (ITS), aimed at practical implementation, and two ‘Guidelines’ (GL), which serve as interpretative guidance.”
This article zooms in on this second set of regulatory and implementing technical standards flesh out DORA, and have been submitted for consultation.
Incident reporting (art. 20 DORA)
RTS and ITS on content, timelines and templates for incident reporting.
The draft RTS regarding the reporting requirements of serious incidents, addresses three topics:
The draft ITS contains an elaboration of the standard forms for the generic reporting requirements and reporting for serious ICT incidents and significant cyber threats.
Cost reporting (art. 11 DORA)
Guidelines on reporting total costs and losses resulting from major incidents.
The draft Guidelines set out how to report on the estimation of total annual costs and losses caused by major ICT-related incidents. The Guidelines introduce reporting on gross costs and losses, financial recoveries and on net costs and losses.
Testing requirements (art. 26 DORA)
RTS on threat-based penetration testing (TLPT)
Art.26 of DORA requires financial entities to conduct advanced testing through TLPT at least every three years. These are the entities that are not covered by the simplified ICT Risk Framework (Art.16), micro enterprises are also excluded. This RTS describes the requirements for these tests.
Sub-outsourcing (art. 30 DORA)
RTS on the sub-outsourcing of critical or important functions
This draft RTS elaborates on the requirements of Art 30(2)(a) on what elements a financial entity should assess in case of sub-outsourcing of ICT services supporting critical or important functions.
Supervision (arts 41 and 32 DORA)
RTS on harmonisation of supervision
GL on supervisory cooperation between ESAs and competent authorities
These last two documents cover cooperation between ESAs and local supervisory authorities, division of tasks and exchange of information.
The publication of these implementing standards marks the start of a public consultation, during which market participants will have the opportunity to comment on the content of the documents until 4 March 2024. The consultation period allows the ESAs to gather and evaluate feedback from the market.
After the consultation period, the final versions will be published on 17 July 2024. When they are, they will be incorporated into the Regulatory Change module of our compliance software, Ruler. This new module assists financial organisations in implementing new laws and regulations and incorporates all the requirements of DORA in an accessible way.
The Regulatory Change module helps you to:
We help organisations meet the requirements of DORA. For example, by conducting a gap analysis and then helping to ‘close’ the gaps identified. We can also help you create, adapt or review the necessary policies and procedures. Need help becoming DORA compliant? Please feel free to contact us.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
