On 17 July, the three European Supervisory Authorities (ESAs) – the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) published the second batch of policy products under the Digital Operational Resilience Act (DORA), which businesses must be compliant with by 17 January 2025. Si West writes
The new regulations address a range of concerns, including financial entities’ ICT and third-party risk management, incident classification, the reporting framework for ICT-related incidents, and implementing threat-led penetration testing.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataOver 22,000 financial entities and ICT service providers operating within the EU are expected to abide by DORA requirements, applying to a whole landscape of financial market participants, from insurance companies to crypto-asset service providers. The framework should provide unanimity across European firms for companies both based in the EU as well as those with ICT infrastructure outside the EU.
In view of this, what do European companies need to implement in order to comply with these new regulations?
A recap of the first batch
DORA focuses on five key areas: ICT Risk Management; ICT-related Incident Management, Classification & Reporting; Digital Operational Resilience Testing; ICT Third Party Risk Management; and Information Sharing Arrangements.
The first batch of DORA products was published in January 2024, a year after DORA was entered into force in January 2023, following a series of public consultations which led to changes to technical standards, ensuring simplified requirements, greater proportionality, and addressing sector-specific concerns.
This aimed to strengthen financial entities’ ICT and third-party risk management and incident classification. This followed consultations between the ESAs, the European Central Bank (ECB) and European Union Agency for Cybersecurity (ENISA) for the technical standards relating to incident reporting.
The technical standards in the first batch included Regulatory Technical Standards (RTSs) on ICT risk management framework, simplified ICT risk management framework, criteria for the classification of ICT-related incidents, as well as RTSs to specify the policy on ICT services supporting critical or important functions provided by ICT third-party service providers (TPPs). It also included Implementing Technical Standards (ITSs) to establish the templates for the register of information.
Third-party risk has become a key concern for organisations globally, with third-party vendor risk becoming the number one point of failure for Resilience clients in Q2 2023, making up 28.9% of all claims notices. Managing this third-party risk must be a priority for financial businesses in the EU going forward, with the MOVEit and Ivanti hacks demonstrating the mass impact of supply chain disruption.
To reduce the impact of attacks on third-party vendors on their overall environment, businesses can prioritise working with vendors that have security controls in place and emphasise third party risk management. Using best practices, such as continuous monitoring and audits of threats to partners can reduce the scope of such attacks. Furthermore, developing a robust incident response plan can allow for prompt action and communication with key stakeholders and minimise financial and operational losses.
What’s new?
The second batch focuses on the reporting framework for ICT-related incidents, such as reporting clarity and templates. There are also requirements on the design of the oversight framework, which enhance the digital operational resilience of the EU financial sector. This protects the customer as well as businesses, ensuring they do not experience any disruption in receiving financial services and that their data is protected.
The new products consist of four final draft RTSs, one set of Implementing Technical Standards (ITS) and two guidelines:
- an RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats;
- an RTS on the harmonisation of conditions enabling the conduct of the oversight activities;
- an RTS specifying the criteria for determining the composition of the joint examination team (JET), and
- and an RTS on threat-led penetration testing (TLPT).
The second batch also includes two new sets of guidelines, the first on the estimation of aggregated costs/losses caused by major ICT-related incidents; and the second on oversight cooperation. This first set of guidelines provides a template for reporting gross costs and losses and financial recoveries in a reference year, while the guidelines on oversight cooperation aim to ensure that the ESAs and the competent authorities have an overview of the areas where cooperation and/or exchange of information between authorities and the ESAs is needed, a coordinated approach between the ESAs and authorities in the exchange of information, and a common approach to procedure and timelines.
The announcement also covers the implementation of threat-led penetration testing, which are enhanced security tests for financial entities. Running tests and simulations can help businesses gain critical insights into security strengths as well as gaps. Resilience provides in-house data-led Breach & Attack Simulations for its clients, allowing them to run realistic simulations of attempted hacks to test the efficacy of internal risk processes, controls, and look for areas to refine security programmes.
Next steps
The European Commission will now start working on their review, aiming to adopt these policy products in the coming months. An RTS on Subcontracting will be published in due course, and DORA will apply as of 17 January 2025, when all relevant financial entities will be expected to be fully compliant.
Businesses, between now and then, will need to address managing third-party cyber risk and conduct security tests and simulations to proactively identify threats and vulnerabilities before they can be exploited. Incorporating more comprehensive cyber resilience strategies, such as integrating both cybersecurity and cyber insurance coverage, as Resilience offers, will give businesses better insight into their risk profiles, driving planning decisions, reducing losses, and guiding risk factors.
As the EU navigates a turbulent geopolitical period, DORA aligns with these firms’ best interests, and will provide an effective set of regulations to ensure that they can continue operating safely and effectively.
Si West is the Director of Customer Engagement at Resilience