The European Supervisory Authorities (the ESAs), constituted of EBA, EIOPA, and ESMA, have launched a public consultation on the first batch of policies under the Digital Operational Resilience Act (DORA).
The consultation includes four draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS). These technical standards aim to ensure a consistent and harmonised legal framework in the areas of ICT risk management, major ICT-related incident reporting, and ICT third-party risk management.
The consultation runs until 11 September 2023.
The Digital Operational Resilience Act (DORA), which entered into force on 16 January 2023 and will apply from 17 January 2025, aims to enhance the digital operational resilience of entities across the EU financial sector and to further harmonise key digital operational resilience requirements for all EU financial entities. This regulatory framework covers key areas such as ICT risk management, ICT-related incident management and reporting, digital operational resilience testing and the management of ICT third-party risk.
Under DORA the ESAs are mandated to jointly develop 13 policy instruments in two batches. The first batch of technical standards, on which the ESAs are now consulting and which are to be submitted by 17 January 2024, are:
- RTS on ICT risk management framework and RTS on simplified ICT risk management framework;
- RTS on criteria for the classification of ICT-related incidents;
- ITS to establish the templates for the register of information;
- RTS to specify the policy on ICT services performed by ICT third-party providers.