DORA Trifecta – Three delegated regulations adopted by the Commission

Three delegated regulations under the Regulation on digital operational resilience for the financial sector (Regulation (EU) 2022/2554 or “DORA”) have been adopted by the European Commission. These newly adopted regulations set out regulatory technical standards (“RTS”) which mainly focus on the management of ICT-related incidents, contractual relationships with ICT service providers, and ICT risk management tools including the simplified ICT management framework.

• Classification of ICT-related Incidents and Cyber Threats: The first regulation (C(2024) 1519 final) establishes RTS that define the criteria for categorizing ICT-related incidents and cyber threats. It outlines materiality thresholds and specifies the requirements for reporting significant incidents. These RTS emanate from Article 18(4) of DORA, aiming to ensure a robust framework for identifying and addressing digital threats in the financial sector.

• ICT Risk Management Tools and Framework: The second regulation (C(2024) 1532 final) lays down RTS for ICT risk management tools, methods, processes, and policies, including a simplified ICT risk management framework. Addressing mandates under Articles 15 and 16(3) of DORA, this regulation aims to provide financial entities with a comprehensive set of guidelines and tools for effective digital risk management.

• Contractual Arrangements Policy with ICT Third-Party Service Providers: The third regulation (C(2024) 1531 final) details the RTS for the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions. This regulation, mandated by Article 28(10) of DORA, seeks to clarify and standardize the contractual obligations and expectations between financial entities and their ICT third-party service providers, enhancing the security and resilience of outsourced functions.

These Delegated Regulations will become effective 20 days following their publication in the Official Journal of the European Union. The adoption of these regulations marks yet another pivotal step in the EU’s efforts to strengthen the digital resilience of its financial sector. The abovementioned regulations will now move to the European Parliament and to the Council of the EU for scrutiny. Pending no objections, these regulations will be formally published, representing a critical step forward in the EU’s digital operational resilience strategy.

Author: James Debono (Senior Associate, Ganado Advocates)