Are you ready for DORA?
ICT providers and a wide range of service providers in the financial space are racing to work out whether their operations are impacted by new EU rules and if so, how. The definitions are fairly broad, so if your organisation has not already looked into DORA, the Digital Operational Resilience Act, now might be the right time.
The European Supervisory Authorities (ESAs) – EBA, EIOPA, and ESMA – have now unveiled the final set of draft technical standards under DORA, which will be in full swing by January 2025. The rules aim to strengthen the cyber resilience of the EU financial sector by reinforcing ICT and third-party risk management, coupled with introducing enhanced incident reporting frameworks.
The recently released joint draft standards encompass Regulatory Technical Standards (RTS) on ICT risk management, criteria for incident classification and policy on ICT services provided by third-party service providers.
These standards, aligned with DORA’s regulations, aim to provide a unified approach to ICT risk management across the financial sector. In an era of greatly heightened cybersecurity risk, the introduction of rules that apply beyond the boundaries of financial services firms and into the technology and service firms that they rely on is clearly something of a global trend.
The update includes Implementing Technical Standards (ITS), defining the information that financial entities will need to maintain regarding arrangements with third-party ICT providers. These will feed into a register of information, central to supervision of compliance with DORA.
The final draft technical standards are now under review by the European Commission, with adoption expected in the coming months.
Read more about DORA and view the files here.