On a quick review our points to flag are:
On the controversial Threat Lead Penetration Testing we now have clarity of the financial entities who are required to undertake TLPT
On incident reporting, the ESAs have streamlined the information required in the initial reports with a view to reducing administrative reporting burden in the first 24 hours of an ICT-related incident occurring. Welcome!
Also on incident reporting, there are new time limits for notifications, as these have been modified in the final draft. In particular, the intermediate reports are now required to be submitted within 72 hours of the initial notification, even where the classification or handling of the incident has not changed. Where activities have recovered, this intermediate report is to be submitted “without undue delay”. Changes in timelines worth careful review by financial entities.
We now have the sub-contracting RTS but this was delayed and was only published on 26 July 2024. See below for more details.
Following last week’s publication of the majority of the second batch of policy products under the the Digital Operational Resilience Act (DORA), the European Supervisory Authorities (ESAs) have published their Final Report on draft regulatory technical standards (RTS) to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of the DORA Regulation.
From our initial high level review, some interesting points to call out:
- There is further clarity on the proportionality principle, with the RTS specifying the criteria for financial entities to take into account in applying the requirements of the RTS in a proportionate way
- The obligation for the DORA clauses to be replicated in agreements with subcontractors has been adjusted. Now, the obligation on ICT third-party service providers (ICT TPPs) is to ensure that contracts with subcontractors allow the financial entity to comply with obligations under DORA and all other applicable legal and regulatory requirements. As would be expected, the financial entity, competent authorities and resolution authorities must be the still be granted access and audit rights along the chain of subcontractors
- The financial entity has the express right to object and request modifications to a material change to subcontracting arrangements, and the right to terminate its agreement with its ICT TPPs where the objection or modification have not been complied with by the ICT TPPs
- The RTS will now be submitted to the European Commission for adoption
