ALFI responds to ESAs consultation paper on DORA draft regulatory technical a) to further harmonise ICT risk management tools, methods, processes and policies; b) on specifying the criteria for the classification of ICT related incidents; c) on draft regulatory technical standards to establish the templates for the register of information; and d) on draft regulatory technical standards to specify the policy on ICT third-party service providers

The ESAs launched public consultations on the first batch of policy products under the Digital Operational Resilience Act (DORA) on 19 June 2023. This includes four draft regulatory technical standards (RTS) and one set of draft ITS.
These measures aim to establish a consistent and harmonized legal framework for ICT risk management, major incident reporting, and third-party risk management in the EU financial sector. DORA seeks to enhance digital operational resilience and promote harmonization of requirements for all financial entities.
ALFI expressed gratitude for participating in the ESAs‘ consultation on DORA’s initial policy products. They represented Luxembourg market practitioners‘ views, particularly on the ICT register of information. ALFI plans to respond to selected questions, emphasizing high-level assessments and industry-related considerations:
—
### Part I: RTS to further harmonise ICT risk management tools, methods, processes and policies
On 8 September 2023, ALFI responded to the European Supervisory Authorities‘ (ESAs) consultation paper regarding regulatory technical standards (RTS) for harmonizing ICT risk management tools, methods, processes, and policies, as mandated by Regulation (EU) 2022/2554.
These initiatives stem from DORA Articles 15 and 16(3), emphasizing ICT risk management frameworks for financial entities.
ALFI acknowledges the RTS but expresses concerns about the substantial implementation burden, especially for investment fund managers who fall outside the scope of EBA guidelines. ALFI suggests a phased implementation approach for risk management frameworks, policies, information registers, and operational processes, offering flexibility.
ALFI supports the principles in Article 2 but recommends clarification on the division of responsibilities between ICT and control functions, especially in smaller entities following a proportionality principle. Additionally, ALFI proposes enabling control functions to rely on ICT expertise and intra-group resources while maintaining independence.
Article 3 outlines requirements for risk management policies and procedures, aligning with industry standards. ALFI distinguishes between automated scans and the analysis of scan results, emphasizing the need to focus on patching material vulnerabilities rather than scanning frequency.
—
### Part II: RTS on specifying the criteria for the classification of ICT related incidents
On 8 September 2023, ALFI responded to the ESAs consultation paper regarding RTS for classifying ICT-related incidents, materiality thresholds for major incidents, and significant cyber threats under Regulation (EU) 2022/2554.
ALFI expressed agreement with the global approach but raised concerns about timing constraints in qualifying incidents and data loss assessments.
ALFI highlighted potential interpretational challenges related to classification criteria for incidents. They suggested a standardized template for registering transactions and clients to ensure unbiased assessments. Concerning Article 2, ALFI sought quantitative guidance on „reputational impact“ and clarification on what constitutes „attracted media attention“. They emphasized that a lack of awareness by regulators should not preclude incidents from having reputational impacts. For Article 10, ALFI recommended specifying a time range to accommodate incidents with delayed consequences.
In reference to Articles 3 and 11, ALFI believed the requirements were consistent with existing regulatory frameworks but sought clarity on the interpretation of a two-hour threshold for incidents affecting critical functions.
Regarding Articles 4 and 12, ALFI expressed concern that the criterion of „geographical spread“ may disadvantage financial centers focused on cross-border distribution. They called for further clarification on the wording related to „financial market infrastructures or third-party providers.“
ALFI proposed a two-step process for assessing the economic impact under Articles 7 and 15, including an initial assessment during the incident occurrence and a reassessment afterward. They recommended defining a timeframe for excluding subsequent costs and losses from the direct impact of an incident. ALFI emphasized the need for flexibility in internal escalation procedures and the discretion of senior management in classifying incidents.
Regarding Article 16, ALFI raised concerns about the feasibility of aggregating incidents with similar root causes and suggested a best-effort approach. They supported systematic root cause analysis for major incidents but cautioned against overreporting minor incidents. ALFI believed that the assessment of cyber threats should follow a risk-based approach, distinguishing between inherent and residual risks, and maintaining strict confidentiality.
ALFI agreed with information sharing among regulators but stressed the importance of secure communication channels to prevent the spread of vulnerabilities. They called for alignment among Member States‘ regulators on the concepts of significance, materiality, and criticality in regulatory reporting and information sharing.
—
### Part III: ITS to establish the templates for the register of information
On 8 September 2023, ALFI responded to the ESAs consultation paper on the DORA draft ITS for establishing templates for the register of information concerning contractual arrangements related to the use of ICT services provided by third-party service providers, as mandated by Regulation (EU) 2022/2554.
Indeed, DORA Article 28(9) requires the ESAs to develop ITS to create standard templates for the register of information, promoting content uniformity.
ALFI expressed concern that not all ICT service providers have LEIs, making alternative unique identifiers necessary. They supported disclosing information about material subcontractors but called for a clear definition of „materiality“. They also noted the challenge in collecting complete subcontractor lists, particularly for smaller entities with limited technology expertise.
Regarding contractual arrangements, ALFI raised questions about separate contracts for services falling under DORA, which could increase administrative burden. They highlighted the complexity of data collection beyond contractual elements and the challenges of allocating responsibilities within groups.
ALFI suggested retaining terminated contractual arrangement information for five years, aligning with industry standards. They emphasized the need for clarification on responsibilities within global groups with both EU-based and non-EU-based entities.
Concerns arose about presenting annual expenses and estimated costs at the entity level for entities with non-EU parent companies. ALFI noted that the structure might necessitate additional reporting processes and costs.
The organization pointed out that entities may already oversee ICT service supply chains but emphasized the challenges related to supplier bargaining power. They recommended considering supplier materiality in the ICT value chain and proposed initiatives to encourage efficient information disclosure.
ALFI called for clarification on whether one ICT service provider could cover multiple services categories and suggested alignment between DORA’s definition of ‚ICT services‘ and the taxonomy.
They found the template structure complex and requested an example to assist members in reporting. The impact assessment was challenging, especially for global entities with non-EU headquarters.
ALFI requested clarity on whether ESAs would provide an official template or if entities must create their own based on RTS instructions. They emphasized the benefits of a standardized template.
Finally, ALFI’s comments primarily focused on the template RT.02.02—Contractual Arrangements. They sought clarification on the interpretation of „customer“ and recommended additional granularity in the „reliance“ drop-down menu.
—
### Part IV: Policy on ICT services
On 8 September 2023, ALFI responded to the ESAs consultation on the DORA draft RTS for ICT services. DORA mandates financial entities to adopt a strategy on ICT third-party risk, including a policy on ICT services supporting critical functions. ALFI supports these RTS as they detail governance for delegating critical functions to ICT Service Providers.
Article 3 extends existing guidelines to a wider range of entities but raises concerns about duplicated governance in subsidiaries and parent entities. Renegotiating existing contracts with ICT Service Providers by January 2025 may be ambitious, requiring flexibility in the transition period.
ALFI suggests incentivizing ICT Service Providers to provide standardized information, promoting a level playing field for entities. Article 4 categorizes ICT service providers but requires clarity on the control framework for subcontractors.
Article 5 outlines the lifecycle of arrangements with ICT Service Providers, suggesting parent company supervision for policy implementation within a group . Article 6 has no comments from ALFI. Article 7 addresses ethical and socially responsible assessments, particularly for non-CSRD ICT Service Providers. ALFI emphasizes the need for controls and data considerations.
ALFI appreciates the Risk-Based Approach in Article 8 but highlights the resource-intensive nature of data gathering and suggests potential business opportunities.
Article 10 aligns with industry standards for oversight processes. Article 11’s exit and termination provisions align with EBA guidelines, with specific attention to cloud infrastructures provided by non-EU ICT Service Providers. These platforms lack EU regulation and related governance provisions.