ESAs launch joint consultation on second batch of policy mandates under the Digital Operational Resilience Act

Following the first batch (eventid=21760), the ESAs have initiated a public consultation on the second batch of policy mandates under DORA. This set of policy instruments, including four draft RTS, one set of draft ITS, and two sets of guidelines, aims to establish a uniform legal framework in the domains of major ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management, and oversight of critical ICT third-party providers. The consultation period extends until 4 March 2024.
This second batch of policy instruments, mandated by DORA, encompasses various components:

##### RTS and ITS on Content, Timelines, and Templates on ICT-Related Incident Reporting (Article 20):
The RTS and ITS pertaining to ICT-related incident reporting under Article 20 DORA aim to establish a standardized framework for reporting major incidents. The draft RTS proposes harmonized timelines for financial entities to report major ICT-related incidents, outlining specific deadlines for initial, intermediate, and final reports. The focus is on ensuring timely and consistent reporting, with the draft ITS introducing a single template covering the entire reporting process. This approach aligns with the incident reporting principles of NIS2, ensuring proportionality and consistency.
____
##### Guidelines on Aggregated Costs and Losses from Major ICT-Related Incidents (Article 11(11)):
The guidelines associated with Article 11(11) DORA address the estimation of aggregated annual costs and losses resulting from major ICT-related incidents. These guidelines provide a framework for calculating costs and losses, covering gross costs, financial recoveries, and net costs related to each major incident. Notably, the guidelines propose a reporting structure aligned with the assessment of costs and losses under technical standards for incident reporting. The emphasis is on establishing a comprehensive yet practical reporting mechanism, with a focus on the financial impact of major ICT-related incidents.

##### RTS on Threat-Led Penetration Testing (Art.26(11)):
Article 26(11) DORA mandates the development of RTS on TLPT. These standards aim to specify criteria for identifying financial entities required to perform TLPT, define requirements and standards for the use of internal testers, and outline the scope, methodology, and approach for each testing phase. The draft RTS also addresses results, closure, and remediation stages, along with the type of supervisory and cooperation needed for TLPT implementation. The focus is on enhancing cybersecurity measures through advanced and targeted testing methods.

##### RTS on Subcontracting of Critical or Important Functions (Art.30(5)):
Article 30(5) DORA mandates the development of RTS addressing the subcontracting of critical or important functions by financial entities. The draft RTS provides specifications on determining and assessing elements related to subcontracting ICT services supporting critical functions. It follows the lifecycle of arrangements between financial entities and ICT third-party service providers, emphasizing risk assessment, contractual arrangements, monitoring, information disclosure, and exit and termination rights. The aim is to establish clear and comprehensive guidelines for financial entities engaging in subcontracting critical functions, ensuring effective risk management and oversight.

##### Guidelines on Oversight Cooperation between the ESAs and Competent Authorities (Article 32(7)):
Article 32(7) DORA requires the issuance of guidelines on oversight cooperation between the ESAs and competent authorities. These guidelines cover detailed procedures and conditions for task allocation and execution between competent authorities and the ESAs. Additionally, the guidelines address information exchanges necessary for competent authorities to follow up on recommendations directed at critical ICT third-party service providers. The scope includes general considerations, designation of critical ICT third-party service providers, oversight activities, and follow-up on recommendations. The objective is to foster efficient and coordinated cooperation in oversight activities, emphasizing communication, information exchange, and task execution.

##### RTS on Oversight Harmonization (Art.41(1)):
Article 41(1) DORA mandates the development of RTS to specify several aspects related to oversight harmonization. These include information to be provided by an ICT third-party service provider in the application for voluntary designation as critical, the content and format of information submitted to the Lead Overseer, and details of competent authorities‘ assessment of measures taken by critical ICT third-party service providers. The primary goal of these RTS is to bring about harmonization of requirements across regulations, ensuring efficient oversight conditions for critical third-party service providers. The focus is on avoiding legislative fragmentation while maintaining the stability of the financial sector.

The public consultation allows stakeholders to provide feedback until 4 March 2024, and a public hearing is scheduled for 23 January 2024, the registration deadline is 18 January 2024. DORA, in force since 16 January 2023, seeks to enhance digital operational resilience in the EU financial sector, with the ESAs aiming to submit the draft technical standards to the EC by 17 July 2024.