DORA Q&A update 02

The purpose of this post is share the facts & links about DORA to community.

DORA act

• Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)
  • DORA ENG
  • DORA SLO
  • DORA CRO

RTS published and sent to the EU Commission – first batch on 17th of January 2024:

• JC 2023 83 – RTS on criteria for the classification of ICT-related incidents
  • JC_2023_83_-_Final_Report_on_draft_RTS_on_classification_of_major_incidents_and_significant_cyber_threats.pdf
• JC 2023 84 – RTS on the policy on ICT services supporting critical or important functions provided by ICT third-party service providers (Was replaced with JC(2024) 1531).
  • JC_2023_84_-_Final_report_on_draft_RTS_to_specify_the_policy_on_ICT_services_supporting_critical_or_important_functions.pdf
• JC 2023 85 – Implementing Technical Standards (ITS) to establish the templates for the register of information
  • JC_2023_85_-_Final_report_on_draft_ITS_on_Register_of_Information.pdf
• JC 2023 86 – RTS on ICT risk management framework and on simplified ICT risk management framework (Was replaced with JC(2024) 1532.)
  • JC_2023_86_-_Final_report_on_draft_RTS_on_ICT_Risk_Management_Framework_and_on_simplified_ICT_Risk_Management_Framework.pdf

Final Reports – draft RTS submitted to the European Commission on 17th July 2024:

• JC 2024-29 – Final report_DORA RTS on TLPT
  • Technical Standards specifying elements related to threat led penetration tests under Article 26(11) of Regulation (EU) 2022/2554
  • JC 2024-29 – Final report_DORA RTS on TLPT.pdf
• JC 2024-33 – Final report on the draft RTS and ITS on incident reporting
  • RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats – EBA site; 
  • JC 2024-33 – Final report on the draft RTS and ITS on incident reporting.pdf
• JC 2024-35 – Final report on RTS on harmonisation of conditions for OVS conduct
  • RTS on the harmonization of conditions enabling the conduct of the oversight activities;
  • JC 2024-35 – Final report on RTS on harmonisation of conditions for OVS conduct.pdf
• JC 2024 54 – Final Report RTS on JET
  • RTS specifying the criteria for determining the composition of the joint examination team (JET);
  • JC 2024 54 – Final Report RTS on JET.pdf

Final Reports – draft RTS submitted to the European Commission on 26th July 2024:

• JC 2024 53 – Final Report RTS .. to assess when subcontracting ICT services supporting critical or important functions
  • Draft Regulatory Technical Standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of Regulation (EU) 2022/2554;
  • JC 2024-53_Final report DORA RTS on subcontracting.pdf

The set of guidelines include:

• Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents; and
  • JC 2024 34 Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554. EBA site;
  • JC 2024 34 Joint Guidelines pdf
• Guidelines on oversight cooperation.

https://www.eba.europa.eu/publications-and-media/press-releases/esas-published-second-batch-policy-products-under-dora

Update to DORA regulation – Supplementing Regulation (EU) 2022/2554:

Criteria for the designation of ICT third-party service providers as critical for financial entities

• Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities. (EU) 2024/1502.
  • ENG (EU) 2024/1502
  • SLO (EU) 2024/1502
  • CRO (EU) 2024/1502

Criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents

• OJ – Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents. C(2024) 1519 final.
  • ENG (EU) 2024/1772 replaces C(2024) 1519
  • SLO (EU) 2024/1772 replaces C(2024) 1519
  • CRO (EU) 2024/1772 replaces C(2024) 1519

• OJ – Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers. C(2024)1531 final. (Replaces / supplements – JC 2023 84.
  • ENG (EU) 2024/1773 replaces C(2024) 1531
  • SLO (EU) 2024/1773 replaces C(2024) 1531
  • CRO (EU) 2024/1773 replaces C(2024) 1531

• OJ – Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework. JC(2024) 1532 final. (Replaces / supplements – JC 2023 86)
  • ENG (EU) 2024/1774 replaces JC(2024) 1532
  • SLO (EU) 2024/1774 replaces JC(2024) 1532
  • CRO (EU) 2024/1774 replaces JC(2024) 1532