ESAs published second batch of policy products under DORA

The three European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) published today the second batch of policy products under the Digital Operational Resilience Act (DORA). This batch consists of four final draft regulatory technical standards (RTS), one set of Implementing Technical Standards (ITS) and 2 guidelines , all of which aim at enhancing the digital operational resilience of the EU’s financial sector.

The package focuses on the reporting framework for ICT-related incidents (reporting clarity, templates) and threat-led penetration testing while also introducing some requirements on the design of the oversight framework, which enhance the digital operational resilience of the EU financial sector, thus also ensuring continuous and uninterrupted provision of financial services to customers and safety of their data.

The ESAs are publishing the following final draft technical standards:

• RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats; 
• RTS on the harmonization of conditions enabling the conduct of the oversight activities;
• RTS specifying the criteria for determining the composition of the joint examination team (JET); and
• RTS on threat-led penetration testing (TLPT).

The set of guidelines include:

• Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents; and
• Guidelines on oversight cooperation.

Next steps

The guidelines have already been adopted by the Boards of Supervisors of the three ESAs. The final draft technical standards have been submitted to the European Commission, which will now start working on their review with the objective to adopt these policy products in the coming months. The remaining RTS on Subcontracting will be published in due course.

Legal basis and Background

The final draft technical standards have been developed in accordance with Articles 20(a), 20(b), 26(11) and 41(1) of DORA (Regulation (EU) 2022/2554). The guidelines have been drafted based on Articles 11(1) and 32(7) of the same regulation.

The public consultation on all the above-mentioned technical standards and guidelines took place from 8 December 2023 to 4 March 2024. The ESAs received more than 364 responses from market participants (265 for the technical standards and 99 for the two guidelines), including a joint response from ESAs’ stakeholder groups. The RTS on JET has been consulted on separately from 18 April to 18 May and brought forward 9 responses from stakeholders. All these public consultations led to specific changes to the technical standards, ensuring simplification and streamlining of the requirements, greater proportionality and addressing sector-specific concerns.

As mandated by Article 20 of DORA the ESAs have consulted with the European Central Bank (ECB) and European Union Agency for Cybersecurity (ENISA) for the technical standards relating to incident reporting.