ESAs finalise second batch of DORA Level 2 rules – but one is missing…

The European Supervisory Authorities have finalised more technical standards under the EU’s Digital Operational Resilience Act. EU financial firms will need to reflect the latest changes to these rules in their DORA implementation projects. However, important rules on subcontracting of ICT services are still to come.

Second batch

Last year the ESAs opened consultations on two batches of draft technical standards under DORA. They finalised the first batch in January. Now they have submitted the second batch to the European Commission.

Topics covered in the second batch which are relevant to financial firms include threat-led penetration testing, reporting of major ICT-related incidents and significant cyber threats to regulators, and subcontracting of ICT services (more on that below).

Reporting ICT incidents

The latest drafts include some helpful changes. For example, on ICT-related incident reporting:

• The timeframes for reporting have been relaxed, slightly
• There is more flexibility for reporting major incidents over weekends and bank holidays
• There are fewer data fields to report

There is also a new mechanism for aggregating incident reports. DORA contemplates that firms may outsource reporting of major ICT incidents, subject to the financial entity retaining full responsibility for compliance. The latest technical standards build on this by allowing ICT third party service providers to submit aggregate reports, covering all affected financial entities.

While ostensibly helpful, obstacles may limit the usefulness of aggregate reporting in practice. The rules impose several constraints, including that that the incident must be classified as major by every firm covered in the aggregated report, regulators have expressly permitted aggregated reporting and firms must still be able to submit individual incident notifications or report on request. In addition, significant credit institutions, operators of trading venues and CCPs are expressly carved out of this and must submit incident notifications and reports at solo level to their regulators.

Pen testing

The regulatory technical standards (RTS) on threat-led penetration testing clarify which financial entities are required to preform TLPT. For example, the ESAs have changed the selection criteria for insurance and reinsurance firms and increased the thresholds applicable to payment and e-money firms.

The ESAs have confirmed that investment funds and asset managers are not on the list of financial entities who are required to perform TLPT by default. As such, they will only need to do so if required by their relevant regulator.

Outstanding subcontracting rules

One of the main challenges EU financial firms face when implementing DORA is how they should approach subcontracting. The ESAs were expected to finalise additional RTS on subcontracting ICT services supporting critical or important functions by 17 July 2024. However, in their press release for the second batch, the ESAs say that this remaining RTS will be published “in due course”.

This means that there are now two sets of technical standards which have been delayed during the legislative process. (Implementing technical standards on the DORA register from the first batch have still not been adopted by the European Commission.) Firms who were already concerned about the fast-approaching DORA deadline will not welcome further delays to the rulebook being finalised.

Six months to go…

All the DORA requirements start to apply on 17 January 2025. Despite some concerns in the industry about how much still needs to be done before then, the ESAs have reiterated that they do not have a mandate to introduce transitional provisions to smooth DORA implementation beyond this date.

Join our next DORA webinar

In the next instalment in our DORA webinar series we will discuss the latest developments, including how the draft Level 2 texts have changed and what happens next.

Subscribers to the Linklaters knowledge portal can catch up on our previous webinars via our operational resilience webpage.