In a significant move towards enhancing digital operational resilience in the European Union’s financial sector, the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA), also known as the three European Supervisory Authorities (ESAs), have jointly published the first set of final draft technical standards under the Digital Operational Resilience Act (DORA). On 27 December 2022, DORA was published in the Official Journal of the European Union and entered into force on 16 January 2023 and it will apply from 17 January 2025. DORA outlines obligations to be met by financial services firms in the EU to bolster their cyber risk management and operational resilience.
How and Why the Law is Changing
The first set of final draft technical standards, published on 17 January 2024, are designed to fortify the digital operational resilience of the EU financial sector by addressing key elements under DORA. These include Regulatory Technical Standards (RTS) on Information and Communication Technology (ICT) risk management frameworks, criteria for classifying ICT-related incidents, ICT third-party service provider (TPP) policies, and Implementing Technical Standards (ITS) for the register of information.
The objectives are to harmonise ICT risk management tools, methods, processes, and policies across financial sectors, provide criteria for incident classification, and specify governance requirements for financial entities using ICT TPPs. These standards play a crucial role in ensuring uniformity and effectiveness in handling cyber threats across the financial landscape.
Consequences and Changes to the Law
Financial entities operating in the EU, including those under simplified regimes, are required to adhere to the final draft technical standards to enhance their digital operational resilience. The RTS on ICT risk management framework and simplified ICT risk management framework outline elements essential for financial entities, ensuring harmonisation and proportionality across different scales and complexities.
The RTS on criteria for the classification of ICT-related incidents establish a standardised process for incident reporting and classification, promoting consistency throughout the financial sector. Additionally, the RTS on ICT TPP policy sets governance and risk management standards for financial entities engaging with third-party ICT service providers, emphasising control over operational risks, information security, and business continuity.
The ITS on the register of information provide templates for financial entities to maintain records of contractual arrangements with ICT third-party service providers. This register is pivotal for the ICT third-party risk management framework, aiding competent authorities and ESAs in overseeing compliance with DORA.
Conclusion: The aforementioned final technical standards were formulated in accordance with the provisions outlined in Articles 15, 16(3), 18(3), 28(9), and 28(10) of the DORA Regulation and are now awaiting review by the European Commission in the coming months. Once approved, these standards will contribute significantly to the digital operational resilience of the EU financial sector, underscoring a collective commitment to fortifying cybersecurity measures and ensuring a robust response to evolving digital threats.
Looking ahead, lawmakers and regulators in Cyprus and EU-wide must ensure that the existing and forthcoming legal framework leaves no significant gaps for undetected risks, while also enhancing the level playing field. Additionally, mechanisms should be established at the EU-level to facilitate seamless cooperation among regulators across borders. By doing so, the stability of the financial system can be preserved, while simultaneously addressing money-laundering risks and safeguarding consumer interests.
By Eva Manolova
For more information, please visit our website microsite on Insurance & Personal Injury or send your queries to [email protected].