News and developments
DORA Trifecta - Three delegated regulations adopted by the Commission
These newly adopted regulations set out regulatory technical standards (“RTS”) which mainly focus on the management of ICT-related incidents, contractual relationships with ICT service providers, and ICT risk management tools including the simplified ICT management framework.
Author: James Debono
- Classification of ICT-related Incidents and Cyber Threats: The first regulation (C(2024) 1519 final) establishes RTS that define the criteria for categorizing ICT-related incidents and cyber threats. It outlines materiality thresholds and specifies the requirements for reporting significant incidents. These RTS emanate from Article 18(4) of DORA, aiming to ensure a robust framework for identifying and addressing digital threats in the financial sector.
- ICT Risk Management Tools and Framework: The second regulation (C(2024) 1532 final) lays down RTS for ICT risk management tools, methods, processes, and policies, including a simplified ICT risk management framework. Addressing mandates under Articles 15 and 16(3) of DORA, this regulation aims to provide financial entities with a comprehensive set of guidelines and tools for effective digital risk management.
- Contractual Arrangements Policy with ICT Third-Party Service Providers: The third regulation (C(2024) 1531 final) details the RTS for the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions. This regulation, mandated by Article 28(10) of DORA, seeks to clarify and standardize the contractual obligations and expectations between financial entities and their ICT third-party service providers, enhancing the security and resilience of outsourced functions.
Author: James Debono