On December 8, 2023, the European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) launched the public consultation on the second batch of policy mandates under the Digital Operational Resilience Act (DORA). This public consultation covers six policy documents that will establish requirements for financial institutions in the following areas:

The timelines, content and templates for major incident reporting

DORA has set out the requirements for how financial institutions must report security incidents to their competent authorities. It is expected that financial entities establish incident management processes, follow standards on incident reports and report on a voluntary basis significant cyber threats.

The expected content of the ICT related incident reports includes data such as the type of incident, the date and time of the incident, the affected systems, and the potential impact of the incident.

Subcontracting of critical or important functions

The draft RTS provides further requirements on what needs to be considered when subcontracting ICT services supporting critical or important functions. Critical or important functions are those that are essential to the financial institution's ability to operate, or that are subject to regulatory requirements.

We see the RTS go a step further, for example notice periods shall be given in the case of material changes being made to sub-contractor arrangements.

Guidance on costs and losses caused by major incidents

Financial entities may be asked to provide data on the estimated costs and losses that they have incurred because of major ICT related incidents. The draft Guideline defines the process for determining the aggregated costs and losses for major incident, including the reporting requirements.

Threat-led Penetration Testing (TLPT) and the TIBER Framework

Financial entities must conduct regular TLPT exercises to assess the security of their systems and networks. This document defines the criteria for firms who need to conduct TLPT, the testing methodologies to be applied (i.e. TIMER Framework) and the additional requirements for the use of internal testers, including defining a policy on the use of internal testers for TLPT.

Guidelines on oversight between the ESAs and competent authorities

The draft guidelines cover the information and cooperation exchanges between the ESAs and the competent authorities in areas such as language, difference of opinions, designation of critical ICT third-party service providers, oversight activities and follow-up procedures.

Note: Oversight harmonisation and cooperation between ESAs, competent authorities and ICT third-party service providers intend to ensure that there is consistency and cooperation across the EU in the supervision of firms and other entities that are subject to the DORA requirements. Therefore, they will not be considered in this article because firms are not responsible for this oversight.

Grant Thornton
Enter your details to download the full publication

Navigating the ESA’s second round of Consultation Papers on DORA

  • Discover the requirements needed for financial institutions on the fast approaching DORA deadline.
  • Learn how our team of operational resilience and technology experts provide tailored support to tackle the complexities and intricacies of DORA.