Last month, the European Supervisory Authorities (ESAs) launched a consultation package on the first batch of certain draft regulatory technical standards (RTS) and draft implementing technical standards (ITS) on certain aspects of the EU’s Digital Operational Resilience Act, DORA.
You can find more detail in our alert here. The draft technical standards cover:
- the risk management framework that financial institutions (FIs) are required to introduce
- classification of ICT related incidents, and the test for classifying an incident as “major”
- the content of an FI’s policy relating to the contractual arrangements on the use of ICT services supporting critical or important functions
- ITS to establish the register of third party ICT services that that FIs are required to keep
The deadline for responses to this consultation package is 11 September 2023. The ESAs have made clear that all responses will be published unless requested otherwise. Following this, the final versions of these RTS and ITS are expected to be published in January 2024.
These standards, and the other obligations imposed by DORA, will be important both to FIs and their ICT providers; please contact our DORA leads below for further assistance.