What is the Secondary Legislation:
The primary DORA legislation is supplemented by a set of secondary legislation which gives further guidance and clarity around how to implement the primary-level requirements. ‘Secondary legislation’ broadly refers to the RTS, ITS, Common guidelines and Feasibility reports that have been developed by the European Supervisory Authorities [‘ESAs’]. For each of the topics mentioned below, the ESAs have published Consultation Papers, solicited [and responded to] feedback from the industry, and subsequently published a ‘Final Draft’.
Secondary Legislation Status:
Final draft regulatory technical standards (RTS) – 17th January 2024
- Regulatory Technical Standards aimed at further standardising ICT risk management tools, methods, procedures, and policies as required under Articles 15 and 16(3)
- Regulatory Technical Standards detailing the criteria for categorising ICT related incidents, materiality thresholds for major incidents and significant cyber threats
- Implementing Technical Standards concerning the standard templates for the purpose of the register of information related to all contractual agreements on the use of ICT services provided by ICT third-party service providers as per Article 28(9)
- Regulatory Technical Standards to outline the comprehensive content of the policy concerning the contractual agreements on the use of ICT services that support critical or important functions provided by ICT third-party service providers
Final draft regulatory technical standards (RTS) – 17th July 2024
- Regulatory Technical Standards detailing components associated with threat-led penetration tests as per Article 26(11) of Regulation (EU) 2022/2554
- Regulatory Technical Standards concerning the details of the alerts and reports for significant incidents and substantial cyber threats, and establishing the deadlines for reporting major incidents
- Implementing Technical Standards regarding the standard forms, templates, and processes for financial organisations to report a significant incident and to alert a substantial cyber threat
- Combined Guidelines on the calculation of cumulative annual expenses and losses resulting from significant ICT-related incidents under Regulation (EU) 2022/2554
- Preliminary Regulatory Technical Standards on standardising conditions that facilitate the execution of oversight activities
- Conclusive Report on Combined Guidelines on the collaboration and data sharing between the ESAs and the competent authorities under Regulation (EU) 2022/2554
- Conclusive Report on Preliminary Regulatory Technical Standards detailing the components that a financial entity must identify and evaluate when outsourcing ICT services that support critical or significant functions as required by Article 30(5) of Regulation (EU) 2022/25542
A feasibility report on further centralisation of incident reporting through the establishment of a single EU hub is in progress and currently on-target to be submitted to the European Commission by 17 January 2025.
What do Firms need to do?
By now, most Firms will have assessed the material gaps that exist between the current-state operating model and the draft RTS. Following the finalisation of a second tranche of RTS in July, Firms will now need to fine-tune their gap analysis to incorporate the changes the ESAs have introduced further to their consultation with the Industry.
In addition, the RTS are a rich source of information on how to practically implement DORA. Careful analysis of the RTS presents an opportunity for firms to acquire subject-matter-expertise to ensure a compliant implementation and to really enhance their current state operating model.
Taking as an example the ‘Technical Standards specifying elements related to threat led penetration tests’, the RTS offer firms valuable information relating to:
- The interaction between the DORA TLPT requirements and the TIBER-EU framework as well as the differences between the DORA TLPT and the original TIBER-EU framework, for example:
- DORA allows Member States to designate a single public authority (SPA), but it is also possible to have multiple TLPT authorities per Member State (in case of pooled or joint testing).
- The use of internal testers is not foreseen in the original TIBER-EU framework, but DORA allows for it
- Mandatory Purple teaming exercises
- Key Respondent concerns:
- Requirements applying to TLPT providers (both testers and threat intelligence providers)
- Proposed testing process – in particular in respect of TLPTs involving several financial entities and an ICT service provider (in case of pooled testing or joint test), and for more time in particular for the closure phase
- TLPT requirements applying to a wide range of firms’ critical or important functions. How mutual recognition/cooperation of TLPT authorities will occur in practice. The potential inclusion of third parties in TLPT.
How can we help?
If your firm has not yet impact-assessed the secondary legislation (published in July ’24), we would be delighted to talk you through our detailed thinking around the Secondary Legislation. We have bespoke AI tools at our disposal to accelerate firms through the analysis process. We can help you to easily summarise the main changes in the RTS that need to be checked in the lead-up to your DORA go-live in Jan ’25.
More generally, we can assist with all other core stages of your DORA-implementation (gap analysis, plan mobilisation and execution, advisory).
Please provide your contact details and we can reach out to you to discuss your needs in further detail.