On July 17, 2024, the three European Supervisory Authorities (EBA, EIOPA, and ESMA – collectively, the ESAs) announced the second series of regulations under the Digital Operational Resilience Act (DORA), comprising four final draft Regulatory Technical Standards (RTS), a set of Implementing Technical Standards (ITS), and two sets of guidelines. These measures aim to strengthen the digital operational resilience of the European Union’s financial sector.
This regulatory package focuses particularly on the framework for reporting incidents related to information and communication technologies (ICT), ensuring greater clarity in reporting and modeling, as well as on threat-led penetration testing (TLPT). Additionally, it introduces specific requirements for the design of the supervisory framework, thereby enhancing the digital operational resilience of the EU financial sector, ensuring the continuous and uninterrupted provision of financial services to customers, and guaranteeing the security of their data.
The ESAs have published the following final draft technical standards:
- RTS and ITS on the content, format, templates, and timing for reporting the most severe ICT-related incidents and significant cyber threats;
- RTS on the harmonization of conditions that allow for the conduct of supervisory activities;
- RTS specifying the criteria for determining the composition of the Joint Examination Team (JET);
- RTS on threat-led penetration testing (TLPT).
The series of guidelines includes:
- Guidelines on estimating the aggregate costs and losses caused by severe ICT-related incidents;
- Guidelines on cooperation in the field of supervision.
The guidelines have been officially adopted by the Boards of Supervisors of the three European Supervisory Authorities (EBA, EIOPA, and ESMA). The final draft of the technical standards has been submitted to the European Commission, which will now begin the review process with the aim of adopting these new policies in the coming months. Further Regulatory Technical Standards (RTS) on outsourcing will be published in due course.