In our previous blog about the Digital Operational Resilience Act (DORA), we briefly introduced the first batch of technical standards. These standards were developed by the European Supervisory Authorities (EBA, EIOPA and ESMA, together the ‘ESAs’) and were recently published and submitted to the European Commission for adoption.
In this blog, we will update you in more detail on three of the four technical standards, which form part of the first batch:
- the Regulatory Technical Standards (‘RTS’), on criteria for the classification of ICT-related incidents;
- the Implementing Technical Standards (‘ITS’), to establish templates for the register of information; and
- the RTS specifying the policy on ICT services performed by third parties.
Criteria for the classification of ICT-related incidents
Determining major ICT incidents
DORA requires financial entities (e.g., credit institutions, pension funds, investment fund managers and insurance undertakings etc.) to establish procedures to detect, manage and notify ICT-related incidents. While certain types of financial entities (such as payment institutions and electronic money institutions) already adhere to incident management procedures due to sector-specific regulations, the proposed RTS on criteria for the classification of ICT-related incidents seek to align with existing measures while expanding the scope to cover all financial entities under DORA. The RTS introduce a two-step approach to determine whether an ICT-related incident is major.
Step 1: The first mandatory step involves assessing whether the incident impacts critical services of the financial entity. An incident is deemed to affect critical services if it:
- affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity;
- affects or has affected financial services that require authorisation, registration or that are supervised by competent authorities; or
- represents a successful, malicious and unauthorised access to the network and information systems of the financial entity.
If the incident does not affect critical services, it is not classified as major. However, if it does (i.e., meets one of the thresholds above), a financial entity proceeds to the second step.
Step 2: In this phase, the financial entity assesses whether one of the following conditions is satisfied: (i) any malicious unauthorised access to network and information systems is identified or (ii) the thresholds of any other two additional criteria (see below) are triggered. If either of these conditions is met, the incident is designated as major; otherwise, it retains its classification as non-major.
The ESAs introduce additional classification criteria, each defined by specific thresholds, for financial entities to determine whether an ICT incident qualifies as major. These criteria cover the following topics:
- Clients, counterparts, and transactions: financial entities must assess the incident’s impact on clients, financial counterparts and transactions affected. If the incident meet any of the materiality thresholds (10% of the clients or transactions, 30% of the financial counterparts or more than 100,000 clients, are affected by the incident), this additional criterion is triggered;
- Data losses: the criterion is triggered if there is any impact on the availability, authenticity, integrity, or confidentiality of data, which has, or may have, an adverse impact on business objectives or regulatory requirements of the financial entity (no quantitative thresholds);
- Reputational impact: the criterion is triggered if reputational impact has occurred based on media attention, complaints received, failure to meet regulatory requirements, or loss of clients or counterparts (no quantitative thresholds);
- Duration and service downtime: the criterion is triggered if the duration of the incident duration is longer than 24 hours or the service downtime is longer than two hours for ICT services that support critical or important functions);
- Geographical spread: the criterion is triggered if the incident has a significant impact on clients, counterparts, branches, financial entities, or third-party providers in the territories of at least two Member States;
- Economic impact: the criterion is triggered if the direct and indirect costs and losses incurred by the incident (are likely to) exceed EUR 100,000.
Once the financial entity determines that the ICT incident is major, it must report the incident to the relevant competent authority by an initial notification. This initial notification must provide all relevant information, enabling the competent authority to assess the incident's significance and evaluate potential cross-border implications.
In addition to the initial notification, the financial entity is required to submit intermediate reports whenever there are significant changes to the ICT-related incident or alterations in the approach to handling the major ICT incident based on newly acquired information. These intermediate reports serve as crucial updates for the competent authority. Finally, a comprehensive final report must be submitted once the root-cause analysis is completed, regardless of whether mitigating measures have been implemented.
Recurring ICT incidents
ICT incidents that individually do not meet the criteria to be classified as major can still be major if they are recurring ICT incidents. A recurring ICT incident must be classified as major if all of the following criteria are met:
- the incidents have occurred at least twice within 6 months;
- the incidents have the same root cause, and
- in the aggregate, the recurring ICT incidents meet the classification criteria for major ICT incidents.
Smaller financial entities, e.g., those subject to a simplified ICT risk management framework (which will be explained in our next blog) and microenterprises, are exempted from the obligation to report recurring incidents.
Determining significant cyber threats
DORA requires financial entities to classify cyber threats as significant based on the criticality of the services at risk. A cyber threat is deemed significant if it:
- poses a potential risk to the financial entity's critical or important functions, those of other financial entities, third-party providers, clients, or financial counterparts;
- exhibits a high probability of occurrence within the financial entity or across other financial entities, and
- could potentially meet the conditions set for major ICT-related incidents upon materialisation.
Financial entities can, on a voluntary basis, notify significant cyber threats to the relevant competent authority, when they consider that the cyber threat is of relevance to the financial system, service users or clients.
Local implementation - Luxembourg
In Luxembourg, the Commission de Surveillance du Secteur Financier (CSSF) introduced a new ICT‑related incident reporting framework (Circular CSSF 24/847) in response to the growing ICT and security risk within the interconnected global financial system.
Applicable to the majority of supervised entities (including credit institutions, all types of professionals in the financial sector, payment and electronic money institutions, investment management companies, alternative investment fund managers and crowdfunding service providers) in Luxembourg's financial sector, this circular significantly expands incident coverage, addressing a broader spectrum of ICT operational and security incidents.
The circular introduces a reporting obligation to the CSSF for ICT-related incidents which qualify as “major” based on classification criteria as set out in paragraph 2.1. Furthermore, a new incident reporting notification form is introduced, facilitating structured data submission to the CSSF.
This circular will enter into force on 1 April 2024 for most of the supervised entities of the financial sector in Luxembourg and on 1 June 2024 for investment funds and fund managers. This will leave time for in-scope entities to prepare for the entry into force of these new obligations. Further information can also be found on the dedicated ICT Risk page of the CSSF.
The establishments of templates for the register of information
Currently financial entities such as banks, electronic money institutions, insurers and payment institutions are required to maintain a register covering their (critical and important) outsourcing arrangements. DORA requires all financial entities that fall within its scope to maintain and update a register of information relating to all contractual arrangements on the use of ICT services provided by third-party service providers. DORA is complementary to the existing obligations regarding outsourcing obligations. Therefore, financial entities will need to adhere to both DORA and the outsourcing framework (if and to the extent applicable). ICT services can overlap with outsourcing arrangements, but financial entities should recognise that not every ICT service is an outsourcing arrangement and vice versa.
The draft ITS to establish templates for the register of information propose standard templates for the register of information that can be maintained at the level of the financial entity, sub-group or group. These templates leverage current practices relating to outsourcing to ensure consistency in data collection and reporting. The register of information is composed of 15 templates and requires detailed information relating to the financial entity maintaining the register, contractual arrangements, third-party ICT service providers, ICT service supply chains, intra-group arrangements, and the specific ICT services involved. On 30 January 2024, the ESAs published the template that can be used by financial entities. The template can be found here.
Financial entities will be required to report their full register of information to their supervisors at least annually.
The specification of the policy on ICT services performed by third parties
DORA emphasises that financial entities must establish a strategy to manage ICT third-party risks, building upon existing guidelines such as those for outsourcing arrangements and EBA Guidelines on ICT and security risk management. This strategy has to include a policy governing the use of ICT services supporting critical or important functions provided by third-party service providers.
This policy must ensure that financial entities retain control over operational risks, information security, and business continuity throughout the life cycle of contractual arrangements with these providers. The technical standards (RTS to specify the policy on ICT services performed by third parties) remind financial entities that the use of ICT service providers does not reduce the responsibility of financial entities or their management to manage risks and comply with legislative requirements.
Furthermore, the policy must cover the entire life cycle of the ICT arrangement, from preparation (including risk assessments and due diligence processes) to service delivery and eventual termination or exit. An essential component involves overseeing the reputation of third-party service providers, validating their resources, expertise, and compliance with contractual and regulatory obligations. To ensure a smooth implementation, financial entities can build on their expertise to manage outsourcing arrangements.
What is next?
The technical standards presented in this blog were submitted on 17 January 2024 to the European Commission for adoption. As we await their approval, our focus shifts to the last RTS of the first batch on the (simplified) ICT risk management framework and the second batch of draft technical standards.
In our upcoming blogs we will delve even deeper into the DORA legislation, offering more comprehensive details on threat-led penetration testing, refining incident reporting protocols, and addressing the critical topic of subcontracting for essential functions. Rest assured, we are committed to keeping a close eye on these developments.
Stay tuned for our next blog!
In our previous blog about the Digital Operational Resilience Act (DORA), we briefly introduced the first batch of technical standards. These standards were developed by the European Supervisory Authorities (EBA, EIOPA and ESMA, together the ‘ESAs’) and were recently published and submitted to the European Commission for adoption.
In this blog, we will update you in more detail on three of the four technical standards, which form part of the first batch:
- the Regulatory Technical Standards (‘RTS’), on criteria for the classification of ICT-related incidents;
- the Implementing Technical Standards (‘ITS’), to establish templates for the register of information; and
- the RTS specifying the policy on ICT services performed by third parties.
Criteria for the classification of ICT-related incidents
Determining major ICT incidents
DORA requires financial entities (e.g., credit institutions, pension funds, investment fund managers and insurance undertakings etc.) to establish procedures to detect, manage and notify ICT-related incidents. While certain types of financial entities (such as payment institutions and electronic money institutions) already adhere to incident management procedures due to sector-specific regulations, the proposed RTS on criteria for the classification of ICT-related incidents seek to align with existing measures while expanding the scope to cover all financial entities under DORA. The RTS introduce a two-step approach to determine whether an ICT-related incident is major.
Step 1: The first mandatory step involves assessing whether the incident impacts critical services of the financial entity. An incident is deemed to affect critical services if it:
- affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity;
- affects or has affected financial services that require authorisation, registration or that are supervised by competent authorities; or
- represents a successful, malicious and unauthorised access to the network and information systems of the financial entity.
If the incident does not affect critical services, it is not classified as major. However, if it does (i.e., meets one of the thresholds above), a financial entity proceeds to the second step.
Step 2: In this phase, the financial entity assesses whether one of the following conditions is satisfied: (i) any malicious unauthorised access to network and information systems is identified or (ii) the thresholds of any other two additional criteria (see below) are triggered. If either of these conditions is met, the incident is designated as major; otherwise, it retains its classification as non-major.
The ESAs introduce additional classification criteria, each defined by specific thresholds, for financial entities to determine whether an ICT incident qualifies as major. These criteria cover the following topics:
- Clients, counterparts, and transactions: financial entities must assess the incident’s impact on clients, financial counterparts and transactions affected. If the incident meet any of the materiality thresholds (10% of the clients or transactions, 30% of the financial counterparts or more than 100,000 clients, are affected by the incident), this additional criterion is triggered;
- Data losses: the criterion is triggered if there is any impact on the availability, authenticity, integrity, or confidentiality of data, which has, or may have, an adverse impact on business objectives or regulatory requirements of the financial entity (no quantitative thresholds);
- Reputational impact: the criterion is triggered if reputational impact has occurred based on media attention, complaints received, failure to meet regulatory requirements, or loss of clients or counterparts (no quantitative thresholds);
- Duration and service downtime: the criterion is triggered if the duration of the incident duration is longer than 24 hours or the service downtime is longer than two hours for ICT services that support critical or important functions);
- Geographical spread: the criterion is triggered if the incident has a significant impact on clients, counterparts, branches, financial entities, or third-party providers in the territories of at least two Member States;
- Economic impact: the criterion is triggered if the direct and indirect costs and losses incurred by the incident (are likely to) exceed EUR 100,000.
Once the financial entity determines that the ICT incident is major, it must report the incident to the relevant competent authority by an initial notification. This initial notification must provide all relevant information, enabling the competent authority to assess the incident's significance and evaluate potential cross-border implications.
In addition to the initial notification, the financial entity is required to submit intermediate reports whenever there are significant changes to the ICT-related incident or alterations in the approach to handling the major ICT incident based on newly acquired information. These intermediate reports serve as crucial updates for the competent authority. Finally, a comprehensive final report must be submitted once the root-cause analysis is completed, regardless of whether mitigating measures have been implemented.
Recurring ICT incidents
ICT incidents that individually do not meet the criteria to be classified as major can still be major if they are recurring ICT incidents. A recurring ICT incident must be classified as major if all of the following criteria are met:
- the incidents have occurred at least twice within 6 months;
- the incidents have the same root cause, and
- in the aggregate, the recurring ICT incidents meet the classification criteria for major ICT incidents.
Smaller financial entities, e.g., those subject to a simplified ICT risk management framework (which will be explained in our next blog) and microenterprises, are exempted from the obligation to report recurring incidents.
Determining significant cyber threats
DORA requires financial entities to classify cyber threats as significant based on the criticality of the services at risk. A cyber threat is deemed significant if it:
- poses a potential risk to the financial entity's critical or important functions, those of other financial entities, third-party providers, clients, or financial counterparts;
- exhibits a high probability of occurrence within the financial entity or across other financial entities, and
- could potentially meet the conditions set for major ICT-related incidents upon materialisation.
Financial entities can, on a voluntary basis, notify significant cyber threats to the relevant competent authority, when they consider that the cyber threat is of relevance to the financial system, service users or clients.
Local implementation - Luxembourg
In Luxembourg, the Commission de Surveillance du Secteur Financier (CSSF) introduced a new ICT‑related incident reporting framework (Circular CSSF 24/847) in response to the growing ICT and security risk within the interconnected global financial system.
Applicable to the majority of supervised entities (including credit institutions, all types of professionals in the financial sector, payment and electronic money institutions, investment management companies, alternative investment fund managers and crowdfunding service providers) in Luxembourg's financial sector, this circular significantly expands incident coverage, addressing a broader spectrum of ICT operational and security incidents.
The circular introduces a reporting obligation to the CSSF for ICT-related incidents which qualify as “major” based on classification criteria as set out in paragraph 2.1. Furthermore, a new incident reporting notification form is introduced, facilitating structured data submission to the CSSF.
This circular will enter into force on 1 April 2024 for most of the supervised entities of the financial sector in Luxembourg and on 1 June 2024 for investment funds and fund managers. This will leave time for in-scope entities to prepare for the entry into force of these new obligations. Further information can also be found on the dedicated ICT Risk page of the CSSF.
The establishments of templates for the register of information
Currently financial entities such as banks, electronic money institutions, insurers and payment institutions are required to maintain a register covering their (critical and important) outsourcing arrangements. DORA requires all financial entities that fall within its scope to maintain and update a register of information relating to all contractual arrangements on the use of ICT services provided by third-party service providers. DORA is complementary to the existing obligations regarding outsourcing obligations. Therefore, financial entities will need to adhere to both DORA and the outsourcing framework (if and to the extent applicable). ICT services can overlap with outsourcing arrangements, but financial entities should recognise that not every ICT service is an outsourcing arrangement and vice versa.
The draft ITS to establish templates for the register of information propose standard templates for the register of information that can be maintained at the level of the financial entity, sub-group or group. These templates leverage current practices relating to outsourcing to ensure consistency in data collection and reporting. The register of information is composed of 15 templates and requires detailed information relating to the financial entity maintaining the register, contractual arrangements, third-party ICT service providers, ICT service supply chains, intra-group arrangements, and the specific ICT services involved. On 30 January 2024, the ESAs published the template that can be used by financial entities. The template can be found here.
Financial entities will be required to report their full register of information to their supervisors at least annually.
The specification of the policy on ICT services performed by third parties
DORA emphasises that financial entities must establish a strategy to manage ICT third-party risks, building upon existing guidelines such as those for outsourcing arrangements and EBA Guidelines on ICT and security risk management. This strategy has to include a policy governing the use of ICT services supporting critical or important functions provided by third-party service providers.
This policy must ensure that financial entities retain control over operational risks, information security, and business continuity throughout the life cycle of contractual arrangements with these providers. The technical standards (RTS to specify the policy on ICT services performed by third parties) remind financial entities that the use of ICT service providers does not reduce the responsibility of financial entities or their management to manage risks and comply with legislative requirements.
Furthermore, the policy must cover the entire life cycle of the ICT arrangement, from preparation (including risk assessments and due diligence processes) to service delivery and eventual termination or exit. An essential component involves overseeing the reputation of third-party service providers, validating their resources, expertise, and compliance with contractual and regulatory obligations. To ensure a smooth implementation, financial entities can build on their expertise to manage outsourcing arrangements.
What is next?
The technical standards presented in this blog were submitted on 17 January 2024 to the European Commission for adoption. As we await their approval, our focus shifts to the last RTS of the first batch on the (simplified) ICT risk management framework and the second batch of draft technical standards.
In our upcoming blogs we will delve even deeper into the DORA legislation, offering more comprehensive details on threat-led penetration testing, refining incident reporting protocols, and addressing the critical topic of subcontracting for essential functions. Rest assured, we are committed to keeping a close eye on these developments.
Stay tuned for our next blog!