On 17 January 2024,  the European Supervisory Authorities in the financial sector (EBA, EIOPA, ESMA) published draft technical standards, as required by the EU Digital Operational Resilience Act (DORA). DORA is an EU regulation which sets out cybersecurity requirements for financial firms. The technical standards cover the following:

• Regulatory Technical Standards (RTS) on ICT risk management framework and on simplified ICT risk management framework. These complement the existing guidelines issued by the ESA on the ICT risk management framework and requirements in DORA by introducing further specific details (e.g. access control, incident detection and response, business continuity management, and risk management review reporting).  Further draft technical standards on advanced testing of ICT systems based on threat-led penetration testing will be published on 17 July 2024. 
• RTS on criteria for the classification of ICT-related incidents: these set out thresholds for notifying major incidents and criteria that affect the classification (clients and financial counterparts affected, reputation impact, geographical spread, duration and service downtime, data losses, critical services affected, economic impact).  Details of the draft incident notification templates will be published on 17 July 2024.
• RTS to specify the policy on ICT services supporting critical or important functions provided by ICT third-party service providers (TPPs). These focus on contractual arrangements for the use of ICT TPP (including intra-group) and are based on the existing guidelines on outsourcing arrangements published by the ESAs. They set out internal procedures for the approval, management, control and documentation of contracts with the TPPs to strengthen the accountability within financial firms. Further draft technical standards on how to assess ICT TPPs when sub-contracting services supporting critical or important functions and how to conduct oversight of ICT TPPs designated as critical will be published on 17 July 2024.
• Implementing Technical Standards (ITS) to establish the templates for the register of information. There are 15 templates in the form of tables that are linked to form a structure. They capture the risk assessment on TPP services, the list of financial entities that use the TPPs, contracts in place with the TPPs and information on their supply chain. 

The European Commission will review the published draft RTS and ITS and they are expected to become mandatory for compliance by financial entities from 17 January 2025. The standards follow a proportionality and a risk-based approach and are to be applied by the firms depending on their size and overall risk profile, the nature, scale, and complexity of their services. 

As a reminder, for financial firms that fall under NIS2 (the Second Network and Information Security Directive) and DORA, the measures on ICT risk management, the reporting of major incidents, testing and ICT TPPs oversight and monitoring taken under DORA should be sufficient to meet the requirements of NIS2.