ESAs Public Technical Discussion on DORA Level 2

Yesterday, the European Supervisory Authorities (ESAs) hosted a public technical discussion on the Level 2 of DORA. All the RTSs and ITSs with the deadline of January 2024 (deadline of 12 months), and two related RTSs with a deadline of 18 months were discussed. We have summarized the most important aspects for you.

For more information, please contact our experts at PwC Switzerland - Legal and PwC Switzerland

Dr Guenther Dobrauz-Saldapenna Alexandra Burns Johannes Dohren Gabriela Tsekova Philipp Rosenauer

Key takeaways:

• Gerry Cross (Chairperson of the Joint Committee sub-committee on Digital Operational Resilience) said that a multi-year perspective will be adopted, which means that the new DORA framework will be implemented well on time, but it will also be refined with implementation over time.
• All the ESAs highlighted the importance for the industry to engage with the ESAs on DORA Level 2. They seemed to be eager to engage with the industry to get to know practical information and the view on the industry on the Level 2.
• Many questions were left unanswered due to the lack of relevance of the sessions and because of the fact that the ESAs are early in the stage of the Level 2. The statements and questions are taken into consideration by the ESAs for the upcoming work on the RTSs.
• A second public technical discussion on the rest of the Level 2 of DORA will be provided in June. In addition, in June, a first consultation round on the RTSs discussed today will be organized. The ESAs will make more details available soon.

?

In more detail:

Opening remarks

Petra Hielkema, Chairperson of EIOPA

Digital resilience is a topic that is globally high on the agenda of policy makers, supervisors and the industry. The World Economic Forum recently called for a global response to the risk of cybersecurity. The consequences of a cyber-attack or a disruption of an important cross-border financial service can have far-reaching impact on other companies, subsectors or the economy. DORA is therefore very relevant in order to maintain trust in the industry and the financial sector.

?DORA will:

• Bring harmonisation of the rules relating to operational resilience for the financial sector.
• Be a lex specialis to the NIS Directive.
• Cover ICT risk management, ICT incident reporting, test of operational resilience of ICT systems, the management of ICT party risks (including the oversight framework of a pan European critical ICT service provider (CTPPs)).
• Enhance cooperation among competent authorities (within and outside the financial sector).
• European systemic risk board recommendation is already made to the ESAs to set up a pan-European systemic cyber incident coordination framework for relevant authorities.
• Provide for a framework on the basis of which oversight can be implemented on the CTPPs (critical third party providers).

?She also named a number of challenges: (1) There will be a need for an overall integration of DORA oversight into the broader supervisory processes; (2) Speed of technology will mean supervisors need to keep pace with the innovation in the market and the skills required to supervise; (3) Speed is needed for DORA itself and delivering implementing and regulatory standards.

Gerry Cross, Chairperson of the Joint Committee sub-committee on Digital Operational Resilience

The importance of the subject is the reason why the European co-legislators have set a tight and challenging timeline for the implementation of the new regulatory and oversight framework. The first set of policy mandates assigned to the ESAs need to be delivered in less than one year time. The remaining ones in less than 18 months. To deliver on this mandate, the joint committee of the ESAs has established the new subcommittee on digital resilience. This is a cross-sectoral committee consisting of senior experts and policy makers from the full range of the European and national financial regulatory bodies (including ENISA, EU Agency for Cybersecurity and the ECB).

?The sub-committee has set out three broad work streams:

1. ICT risk management;
2. Incident reporting response;
3. Third party cloud service provisions oversight.

The work is well on its way and moving with strong momentum to meet the deadlines, including the first stakeholder consultation. A multi-year perspective will be adopted, which means that the new framework will be implemented well on time, but it will also be refined with implementation over time. In addition, the framework has to be well adapted for application by entities of all shapes, sizes, levels of complexity and business models.

?

Mattias Levin, European Commission, Deputy Head of Unit of the Digital Finance unit of DG FISMA

The financial sector is increasingly dependent on technology and tech companies when they provide financial services for their clients. This makes the financial sector vulnerable to problems with that technology, like cyber-attacks. This affects all sectors of the economy, but cyber risks are only partially addressed at an EU level. In terms of a general rule, these only partially apply to finance and have been unevenly implemented across the EU. Within the financial services sector, the rules were a patchwork to tackling problems of ICT dependence. In addition, they were inconsistent and fragmented across the EU.

In finance, DORA upgrades EU rules to promote resilience. DORA substitutes the core provisions via lex specialis status, NIS2 (Directive on measures for a high common level of cybersecurity), which has been negotiated and adopted in parallel to DORA. The rules of DORA replaces the core provisions of NIS2. DORA also complements general policy pieces that have been put in place, such as the CER (Directive on resilience of critical entities), CSA (Cybersecurity Act) and the CRA (Cyber Resilience Act).

?The five main pillars of DORA are:

1. ICT risk management (Article 5 to 16);
2. ICT related incident reporting (Articles 17 to 23);
3. Digital operational resilience testing (24 to 27);
4. ICT third-party risk (28 to 44);
5. Information sharing.

?Session 1: ICT Risk Management and ICT third party risk

Barbara Daskala, Senior Supervision Officer ESMA

This session covered the following four RTSs:

1. RTS on ICT risk management framework;
2. RTS on simplified ICT RMF;
3. RTS to specify the policy on ICT services;
4. RTS to specify elements when sub-contracting critical or important functions.

?

The aim is for a comprehensive, strong and effective ICT risk management:

• Tackle fragmentation of ICT requirements laid down in the current Union financial services law;
• Upgrade ICT risk requirements;
• Achieve consistency in rules;
• Promote risk-based implementation and supervision;
• Covering explicitly cyber hygiene;
• Introduce key principles for financial entities’ management of ICT third-party risk;
• Complement existing requirements on ICT outsourcing;
• Enable monitoring of the ICT third party contractual arrangement (not anchored fully into Union law before DORA);
• Achieve homogeneity and convergence on the monitoring of ICT third-party risk and ICT third-party dependencies;
• Considering size, the overall risk profile of the financial entity, the nature, scale and complexity of its services, activities and operations.

?

RTSs on ICT Risk Management – Legal Mandate

Article 15 - Further harmonisation of ICT risk management tools, methods, processes and policies:

a. Specify further elements to be included in the ICT security policies, procedures, protocols and tools (Article 9(2))

b. Develop further controls of access management rights and monitoring of anomalous behaviour (Article 9(4), point (c))

c. Develop further mechanisms on prompt detection of anomalous behaviour related to ICT risk (Article 10(1)) and triggering of incident detection and response processes (Article 10(2))

d. Specify further ICT business continuity policy components (Article 11(1))

e. Specify further ICT business continuity plan testing (Article 11(6))

f. Specify further ICT response and recovery plans components (Article 11(3))

g. Specify further content and format of the report on the review for the ICT RM framework (Article 6(5))

?

Article 16 - Simplified ICT risk management framework (For small and non-interconnected investment firms, payment institutions exempted; institutions exempted; electronic money institutions exempted; and small institutions for occupational retirement provision (Article 16(1), first subparagraph))

a. Specify further elements to be included in the ICT risk management (Article 16(1)(a))

b. Specify further elements in relation to systems, protocols and tools to minimise the impact of ICT risk (Article 16(1)(c))

c. Specify further components of the ICT business continuity plans (Article 16(1)(f))

d. Specify further rules on business continuity plan testing (Article 16(1)(g))

e. Specify further content and format of the report on the review for the ICT RM framework (Article 16(2))

?

RTSs on Third Party Risk Management – Legal Mandate

Article 28(10)

The ESAs are asked to further specify the content of the policy on the use of ICT services concerning critical or important functions provided by ICT third-party service providers.

The background of this lies in Article 28(2) of DORA, where it requires a strategy on ICT third-party risk. This strategy will include a policy on the use of the ICT services. Here, the ESAs specify the detailed content of the policy referred to in this paragraph in relation to the contractual arrangements on the use of the ICT services, always supporting critical important functions provided by the service providers. Here, also the size, nature and scale complexities need to be taken into account.

?

Article 30(5)

The ESAs are asked to specify elements when sub-contracting services supporting critical or important functions.

This is linked to Article 30(2) of DORA, whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when this is the case, the conditions applying to such subcontracting. Subcontracting is an important area now there have been risks identified with that. This is also the reason why it is important for the ESAs to specify the further elements referred to in paragraph 2 of Article 30.

?The Preliminary Timeline for RTSs on RMF and ICT Policy (12 months deadline) is as follows:

• Mid-January to mid-June 2023 Development of Consultation Paper on draft policy mandate;
• Mid-June to September 2023 Public consultation;
• September 2023 to 17 January 2024 Assessment of responses, development of Final Report on draft policy mandate;
• 17 January 2024 Submission of the draft RTS to the Commission.

?

The Preliminary Timeline for RTSs on sub-contracting (18 months deadline) is as follows:

• From mid-January to November 2023 Development of Consultation Paper on draft policy mandate;
• November 2023 to February 2024 Public consultation;
• February 2024 to 17 June 2024 Assessment of responses, development of Final Report on draft policy mandate;
• 17 January 2024 Submission of the draft RTS to the Commission.

?

QUESTIONS/STATEMENTS SESSION 1:

Question - There is a reference to class 3 investment firms, but not to class 2 investment firms. Will there be discrimination in terms of the approach chosen for the mid-sized investment firms, which are often also small investment firms.

Answer: It is still too early to say, but the scope is very clear in DORA in Level 1.

?

Question - (1) In the tight timeframe, the ESAs will have to ensure that consultation with the industry is not only continuous but also provide realistic time for meaningful feedback to the complicated level 2 work. Can you please elaborate on this? (2) In interpreting “Critical or Important functions” provided by CTPPS, is critical to be understood solely from the recovery and resolution perspective (article 28(10))?

Answer: (1) The timeframe is indeed very tight. Everybody shares these concerns. The ESAs want the industry to provide comments and input. Regarding the 12-month deadline Level 2, from September 2023, the ESAs plan to assess the responses and to develop the final report. A submission of the draft RTSs and ITSs to the Commission by January 2024. (2) It is still too early to answer to this.

?

Question - Will the RTS extend the implementation timeline for financial institutions, since all of them will come begin / mid of 2024 or is the 2 year implementation time frame staying? Will you extend the timeframe for the institutions.

Answer: It is probably not possible for the ESAs to extend the implementation timelines for financial institutions, but it will be checked and confirmed.?

?

Question - Should agreements with ICT service providers be renegotiated in retrospect to comply with DORA? If yes, what is the deadline for these renegotiations to materialize?

Answer: There is a period that you will be required to implement the RTSs that the ESAs will define. In that period you will need to do the necessary in order to comply with the RTSs.

?

Question - Article 8(6) mentions the term "major change". Can you explain when a change is considered to be "major"? Article 19 (1), term major related incident” is used. When is an ICT related incident “major”.

Answer: On “major (change)” the ESAs still need to consider in the conducts of the RTS how deep to go and how detailed to be in defining aspects. Level 2 is not going to be defining terms that have not been defined by Level 1.

?

?

Session 2: ICT Incidents

Antonio Barzachki Senior Expert EBA

This session covered the following four RTSs:

• RTS on classification of major ICT incidents;
• RTS on reporting of major ICT incidents Antonio Barzachki, Senior Expert EBA.

?

DORA introduces harmonised and streamlined framework for reporting of major ICT-related incidents where financial entities:

• Establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents.
• Report major ICT related incidents to the relevant competent authority under DORA by way of initial notification, intermediate report and financial report.
• Report, on voluntary basis, significant cyber threats to the relevant competent authority under DORA.

?Recipients of the major ICT-related incident reports are relevant competent authorities, EBA, ESMA, EIOPA, ECB, competent authorities, single point of contract or CSIRTs under NIS2, resolution authorities or other public authorities.

?Criteria for classification of major ICT-related incidents:

1. the number and/or relevance of clients or financial counterparts affected and, where applicable, the amount or number of transactions affected by the ICT-related incident, and whether the ICT-related incident has caused reputational impact;
2. the duration of the ICT-related incident, including the service downtime;
3. the geographical spread with regard to the areas affected by the ICT-related incident, particularly if it affects more than two Member States;
4. the data losses that the ICT-related incident entails, in relation to availability, authenticity, integrity or confidentiality of data;
5. the criticality of the services affected, including the financial entity’s transactions and operations;
6. the economic impact, in particular direct and indirect costs and losses, of the ICT-related incident in both absolute and relative terms.

Classification of cyber threats as significant

?Classification of cyber threats as significant should be done, based on the criticality of the services at risk, including the financial entity’s transactions and operations, number and/or relevance of clients or financial counterparts targeted and the geographical spread of the areas at risk.

?

Article 18(3) and (4)

RTS on criteria for classification of major ICT-related incidents and significant cyber threats. This includes five specific components; (1) further specify the criteria that are set out in DORA (2) relates to the introduction of potential future materiality thresholds for determining major ICT related?incidents for these criteria (3) focus on the criteria for assessing the relevance of major incidents?to relevant competent authorities in other member states (4) information needs to be shared with other competent authorities (5) establish the materiality threshold for determining significant cyber threats.

?When developing those draft regulatory technical standards, the ESAs shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and complexity of its services. Secondly, the requirements in the RTS should be aligned with any international standards, guidance and specification developed and published by ENISA.

?The preliminary timeline for the RTS on classification of major ICT incidents (12 months deadline) is as follows:

• Mid-January to mid-June 2023 development of consultation paper on draft policy mandate;
• Mid-June to September 2023 public consultation;
• September 2023 to 17 January 2024 assessment of responses, development of final report on draft policy mandate;
• 17 January 2024 submission of the draft RTS to the Commission.

?

Article 20(a)

RTS specifying the content of the major ICT-related incident reports and notifications for significant cyber threats, as well as the time limits for incident reporting. This includes three specific components; (1) establish the content of the reports for major ICT-related incidents (2) determine the time limits for the initial notification and for each report (3) establish the content of the notification for significant cyber threats.

?On the content for major incident reports on ICT incidents, DORA touches upon three specific points; (1) the content should reflect on the classification criteria (2) it should contain information to be able to identify the relevance for other member states (3) whether the incident constitutes a major operational or security payment related incident or not.

?The preliminary timeline for RTSs reporting of major ICT incidents (18 months deadline) is as follows:

• From mid-January to November 2023 development of consultation paper on draft policy mandate;
• November 2023 to February 2024 public consultation;
• February 2024 to 17 June 2024 assessment of responses, development of final report on draft policy mandate;
• 17 January 2024 submission of the draft RTS to the Commission.

?

QUESTIONS/STATEMENTS SESSION 2:

Question - If an incident occurs in a third party vendor's environment and a side effect occurs in a financial institution's environment, who should be obligated to report to the regulator, the third party vendor or the bank?

Answer: In general, this is set out in DORA, which requires financial entities to report to competent authorities.

?

Question - How will DORA affect the current PSD2 directive? Especially in regards to major incident reporting?

Answer: DORA envisages to set out harmonised incident reporting frameworks. The entities that are listed in the scope, which includes payment service providers, it would be needed to report major incidents under DORA. That is the reason why some of the requirements relate not only to ICT related incidents, but also operational and security payments related incidents.

?

Question - Do third-parties need to comply with NIS2 if they have other parts of their business which are non-financial? For instance, a Telco-provider which is a critical provider to a bank. Does NIS2 AND DORA apply, or only DORA? The creation of an EU hub to streamline and harmonize reporting would be great. ESAs aid in information sharing across the different competent authorities would be another example.

Answer: ESAs aim at harmonised framework as best as possible. Will have specific look at this.

?

Questions - (1) DORA is considered lex specialis for NIS2. What will be the relationship between DORA and CER Directive, in particular in the context of incident management, please? (2) RTS on incident management - will the delegated acts refer to handling of ransomware attacks (eg. Involvement of the management body in decision taking) and concerns regarding cyber insurance?

Answer: Both questions are not directly related to the mandates discussed, however, these are interesting points and will be taken into account.?

Question - Preparing the initial incident notification should not take up valuable resources and time and the initial notification should not be excessively detailed. Could the ESAs share their views on the format of the initial incident notification?

Answer: Unfortunately, not able to share any detailed information.

Question - Regarding the criteria for classification of incidents - will these include subjective criteria - for example Malicious Intent?

Answer: DORA provides a definition of major ICT related incidents. The criteria are also clearly set out in DORA. From that perspective, it is not possible to introduce additional criteria to those that are already there.

?Session 3: ITS on register of information

Andrea Vetrone, Senior Expert EIOPA

Article 28(9):

ITS on Register of Information in relation to all contractual arrangements on the use of ICT services provided by ICT third–party service providers. In this register all contracts with third party providers needs to be appropriately documented. In addition, financial entities will need to distinguish between contracts covering critical functions and contract supporting functions which are not critical or important. Also, there is a requirement for financial entities to report annually some information on the new arrangements on the use of ICT services.

Purpose of the register of information:

1. Financial entities ICT risk management; As part of their ICT risk management framework, financial entities shall maintain and update at entity level and, at sub-consolidated and consolidated levels, a Register of Information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers. (Art 28.3).
2. Supervision by competent authorities; Financial entities shall make available to the competent authority, upon its request, the full Register of Information […] along with any information deemed necessary to enable the effective supervision of the financial entity (Art. 28.3).
3. Designation of critical third-party providers: To enhance supervisory awareness of ICT third-party dependencies, and with a view to further supporting the work in the context of the Oversight Framework established by this Regulation, all financial entities should be required to maintain a register of information with all contractual arrangements about the use of ICT services provided by ICT third-party service providers. (Recital 65).

?

The preliminary timeline for the ITS on the register of information (12 months deadline) is as follows:

• Mid-January to mid-June 2023 development of consultation paper on draft policy mandate;
• Mid-June to September 2023 public consultation;
• September 2023 to 17 January 2024 assessment of responses, development of final report on draft policy mandate;
• 17 January 2024 submission of the draft RTS to the Commission.

?

QUESTIONS/STATEMENTS SESSION 3:

Question - Given the market power of certain third party certain service providers, how do you see financial services companies being able to ensure contractual arrangements satisfy DORA requirements without tools like standard contractual clauses?

Answer: DORA includes the possibility of developing standardized contractual clauses in Recital 75 of the Regulation. The idea of using standardized contractual clauses is not forbidden by the Level 1 text, but even encouraged to do so. The ESAs are currently starting from the implementation of the legal mandates and then will be waiting if the Union bodies will develop standardized contractual clauses. However, the supervisory obligation in the use of standardized contractual clauses should not be affected.

?

Question - By when can we expect the final designation of CTPPs? - The ESAs will start the designation of CTPPs after the Commission has adopted a delegated act to specify designation criteria (deadline 18 months).

Answer: Designation of the critical third party providers can start once the delegated regulation from the Commission is in place. From there, the ESAs will form the assessment, together with the competent authorities, through the oversight forum to designate the critical providers.

?

Question - Are Shareholders providing ICT tech to ourselves as subsidiaries considered to be CTTP's under DORA?

Answer: The answer is provided by Article 31(8) of the DORA Regulation, which provides the scope of the oversight framework.

?

Question - Do all ICT contracts need to comply with art 30 or can non material contracts (e.g. for provision of online know how/magazines) be disregarded on the basis of proportionality? Such contracts entail no real operational risks for an enterprise or investors so I would expect these to be exempt.

Answer: Level 1 is very clear on this point. Therefore, it can be expected to have all IT services included in the register of information. However, proportionality will be taken into account as well.

?

Question - Given the range of existing, similar EU registers in place (e.g., ECB/EBA template), how are the ESAs work stream approaching alignment / harmonization in this area? In this regard, have there been any useful takeaways from the October 2022 DORA data survey / how is this feeding into the ITS design?

Answer: Looking at all the sources in the market, it is part of the ESAs policy development process. These registers will also be considered to design the one for DORA.

?

?Session 4: Call for advice on criticality criteria

Andrea Vetrone, Senior Expert EIOPA

?Legal Background:

• DORA Regulation introduces a Union Oversigh Framework for ICT third-party providers (ICT TPPs) deemed critical (CTPPs).
• ESAs to monitor activity of CTPPs on a pan-European scale
• ESAs to designate CTPPs for this monitoring exercise (Article 31(1)).
• Article 31(2) sets out four high-level criteria to assess criticality of ICT TPPs.
• Criticality criteria should also be applied in case of voluntary opt-in by an ICT TPP (Article 31(11)).
• Article 31(6): Empowers the Commission to adopt a delegated act to further specify criticality criteria by July 2024;
• The call for advice also covers the determination of the amount of the oversight fees and the way in which they are to be paid by CTPPs. This topic is not covered during this event.

?

High-level criticality criteria: Article 31(2) DORA Regulation

1. The systemic impact on the stability, continuity or quality of the provision of financial services in the event that a CTPP would face a large-scale operational failure to provide its services, taking into account the number of financial entities and the total value of assets of financial entities to which the CTPP provides services.
2. The systemic character or importance of the financial entities that rely on a CTPP, by taking into account:
3. the number of global systemically important institutions (G–SIIs) or other systemically important institutions (O–SIIs) that rely on the CTPP, and
4. the interdependence between the G–SIIs or O–SIIs and other financial entities, including situations where the G–SIIs or O–SIIs provide financial infrastructure services to other financial entities.
5. The reliance of financial entities on the services provided by a CTPP, in relation to critical or important functions of financial entities that ultimately involve the same ICT TPP, irrespective of whether financial entities rely on those services directly or indirectly, through subcontracting arrangements.
6. The degree of substitutability of a CTPP, by taking into account:
7. the lack of real alternatives, even partial, and
8. difficulties in relation to partially or fully migrating the relevant data and workloads from the CTPP to another ICT TPP.

?

The Joint ESAs response should include:

• Several specific sets of indicators of both qualitative and quantitative nature per each of the 4 high-level criticality criteria set out in Article 31(2);
• Where applicable, minimum thresholds per indicator;
• Background information deemed relevant to support the build-up of indicators;
• If needed, information necessary for Commission to correctly interpret indicators;
• Provision of a cost-benefit analysis of all indicators considered;
• Reflections on the frequency of reviewing criticality criteria; and
• Feedback statement on public consultation.

?

The Preliminary Timeline for the call for advice is as follows:

• Beginning-January to May 2023 Development of Consultation Paper;
• May 2023 Targeted public consultation;
• June 2023 to September 2023 assessment of responses, development of final report on draft policy mandate;
• 30 September 2023 Submission of response to the Commission.

?

QUESTIONS/STATEMENTS SESSION 4:

Question - DORA Art 31.1.(a) foresees CTPP designation on entity-level, thus poss. leading to oversight over non-relevant services also offered by the CTPP. Do the ESAs intend to improve legal certainty by suggesting further criteria to enhance the focus on those CTPP services that are critical to financial entities?

Answer: The ESAs need to stick to the Level 1 text, also in the reply to this call for advice. Level 1 seems to be suggesting a designation on entity base starting from the application of the four criteria that are made. These four criteria also relate to the specific services provided by critical providers to the financial entities. These elements will be taken into account.