The European Supervisory Authorities (ESA) have just launched the second RTS package under DORA.

On December 27, 2022, two different, but closely linked, regulations related to cybersecurity were published in the Official Journal of the European Union. They came into force 20 days later, on January 16, 2023. We refer to Regulation (EU) 2022/2554: Digital Operational Resilience Act (DORA), aimed at the Financial Sector and Directive (EU) 2022/2555 : NIS 2 (v2 of Network and Information Security), aimed at increasing cybersecurity in the EU, using essential sectors as a lever. If you notice, the numbers of both regulations are consecutive, which denotes that they were designed from a joint point of view.

For those of you who are not familiar with the world of law, DORA is a regulation (immediately applicable EU rule) that has only one exception, it will not apply until January 17, 2025. On the contrary, NIS2 is a directive ( EU rule that requires member states to transpose it). It must be regulated by a norm with the rank of Law before October 17, 2024. But, for the moment, as of the date of this post (July 29, 2024), it has not been transposed, and it seems difficult for the regulation to be met. date marked by the union.

The DORA regulation, on which we will focus this article, requires effective, proportional and dissuasive sanctions and measures, also contemplating administrative and criminal sanctions (a novelty). Something also key and new is that they can be applied to council members. Furthermore, DORA requires that the administrative sanctions imposed on council members be published, with name and surname, for up to 5 years.

To provide guidance on how to implement these provisions, the European Supervisory Authorities (ESAs) develop the Regulatory Technical Standards or RTS (Tier 2 legislation). The first RTS package was published a little over a year ago, in June 2023. And the second package, as expected, was published last week, once the European elections were over.

The first package has been widely debated under public consultation, and the text that defined DORA in just 79 pages has grown considerably in the second RTS package.

I quote verbatim the new additions:

The three European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) published today the second batch of policy products under the Digital Operational Resilience Act (DORA). This batch consists of four final draft regulatory technical standards (RTS), one set of Implementing Technical Standards (ITS) and 2 guidelines, all of which aim at enhancing the digital operational resilience of the EU’s financial sector.

The package focuses on the reporting framework for ICT-related incidents (reporting clarity, templates) and threat-led penetration testing while also introducing some requirements on the design of the oversight framework, which enhance the digital operational resilience of the EU financial sector, thus also ensuring continuous and uninterrupted provision of financial services to customers and safety of their data.

The ESAs are publishing the following final draft technical standards:

1. RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats; 

2. RTS on the harmonization of conditions enabling the conduct of the oversight activities;

3. RTS specifying the criteria for determining the composition of the joint examination team (JET); and

4. RTS on threat-led penetration testing (TLPT).

The set of guidelines include:

• Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents; and

• Guidelines on oversight cooperation.

This is a small summary of each of the documents in the new package that contains 4 RTS (Regulatory Technical Standards) and 1 ITS (Implementing Technical Standards):

• RTS and ITS on the content, format, templates and deadlines for reporting significant ICT-related incidents and significant cyber threats: This document establishes technical and implementation standards for the reporting of incidents and cyber threats, specifying What information should be reported, in what format, and within what deadlines.

• RTS on the harmonization of conditions allowing the performance of supervisory activities: Establishes the requirements for harmonizing the conditions under which supervisory activities are carried out, ensuring a consistent approach across the EU.

• RTS specifying the criteria for determining the composition of the joint examination team (JET): Defines the criteria for forming joint examination teams that oversee penetration testing and other evaluations, ensuring that the appropriate and qualified personnel.

• RTS on threat-led penetration testing (TLPT): Provides the requirements to carry out penetration tests based on specific threats, in order to evaluate the resilience of financial institutions against cyberattacks.

Along with these documents, we find 2 guides with the following content:

• Guidelines on estimating aggregate costs/losses caused by significant ICT-related incidents: Provides guidelines for estimating the total costs and losses arising from significant ICT-related incidents, helping entities to assess the financial impact of such incidents.

• Guidelines on cooperation in supervision: Defines how supervisory authorities should cooperate in supervising the activities of financial institutions, promoting effective collaboration and coherent supervision at European level.

The EBA (European Banking Authority), part of the ESA, has stated thatThe guidelines have already been adopted by the Supervisory Boards of the three European Supervisory Authorities (ESAs). The final drafts of the technical standards have been sent to the European Commission, which will now begin to review them with the aim of adopting them in the coming months. The remaining RTS on subcontracting will be published soon.

You have more dDetails about it in: https://www.eba.europa.eu/publications-and-media/press-releases/esas-published-second-batch-policy-products-under-dora

The EU is making significant progress towards improving the digital operational resilience of the financial sector. By establishing clear rules for incident reporting, penetration testing and monitoring, these policies seek to ensure a coherent and effective response to the cyber threats currently facing the financial business fabric. Obviously, this will not only increase transparency in the response to cyber attacks, but will also strengthen the security and stability of the financial sector, helping companies to be better prepared against possible digital threats.

In future posts we will delve into the documents published in this new RTS package.