top of page
Search

June's DORA Developments: A Regulatory Roundup

June 2024 has been a crucial month for the Digital Operational Resilience Act (DORA) framework, marked by the release of several significant regulatory developments that will majorly impact financial entities and ICT service providers. 


ree


Commission Delegated Regulation (EU) 2024/1772: Reporting ICT Incidents and Significant Cyber Threats


This regulation introduces a harmonised framework for classifying and reporting ICT-related incidents and significant cyber threats. It sets out specific criteria for categorising incidents based on their impact, establishing materiality thresholds for determining major incidents, and defining criteria for identifying significant cyber threats.


Implications for Firms:


  • Financial entities must establish clear procedures for incident classification and threat assessment.

  • Major incidents must be reported promptly to relevant authorities following specific templates and timelines.

  • Firms should actively participate in information-sharing initiatives and allocate resources to maintain effective incident response and reporting processes.


Commission Delegated Regulation (EU) 2024/1773: Contractual Arrangements with ICT Third-Party Service Providers


This regulation details the content required in financial entities' policies regarding contractual arrangements with ICT third-party service providers (TPSPs), particularly those supporting critical or essential functions. It covers risk assessment, due diligence, conflict of interest management, and specific contractual clauses.


Implications for Firms:


  • Financial entities must develop comprehensive policies addressing all aspects of contractual arrangements with ICT TPSPs.

  • Thorough risk assessments and due diligence are mandatory before engaging TPSPs, especially for critical functions.

  • Contracts with TPSPs must include detailed provisions on service levels, data protection, incident response, termination rights, and audit rights.

  • Firms must establish processes to monitor TPSP performance and compliance.

  • Exit strategies are necessary to ensure the continuity of critical services in case of TPSP failure.


Commission Delegated Regulation (EU) 2024/1774: ICT Risk Management


This regulation supplements DORA by providing technical standards for ICT risk management in the financial sector. It aims to ensure that ICT risk management requirements are proportionate to financial entities' size, structure, and complexity.


Implications for Firms:


  • Firms are granted flexibility in complying with ICT security requirements, focusing on developing policies for essential elements.

  • Clear roles and responsibilities for ICT security must be assigned and maintained.

  • Comprehensive ICT security policies must be developed, covering asset management, capacity and performance management, and ICT operations.

  • Cryptographic controls must be implemented for data protection.

  • Robust procedures for vulnerability and change management are required.

  • ICT-related incident policies and business continuity plans must be established.


Other Developments:


  • DORA Delegated Regulations on Critical ICT Third-Party Providers and Oversight Fees: These regulations detail the requirements for designating critical ICT providers and the associated oversight fees. Financial entities and ICT service providers should carefully review these regulations to understand their obligations and the potential financial implications of designating a provider as critical.

  • DORA Dry Run: A dry run, planned for the second half of 2024, is designed to help financial entities prepare for DORA compliance. It will test their ability to create and submit information registers on ICT third-party provider arrangements, providing a valuable opportunity to identify and address any potential compliance issues before the regulations come into full effect.

  • ECB Guide on Outsourcing Cloud Services: This guide outlines supervisory expectations for financial institutions outsourcing cloud services. It provides valuable insights into best practices for risk management, due diligence, contractual safeguards, and ongoing monitoring, and financial entities and ICT service providers are strongly encouraged to review and implement its recommendations.


June's regulatory developments signify a significant step towards the full implementation of DORA. Financial entities and ICT service providers must proactively review and align their operations with these regulations to ensure a smooth transition and maintain operational resilience in the face of evolving digital risks.



Sign up to be notified about the latest updates of what we think

The posts listed on the 'What we think' webpages are our interpretation of regulatory developments we have been reading about. They should not be considered legal, regulatory or other advice. Contact us if you want to understand the impact of public policy, regulation and governance changes for you.

bottom of page