European Union: DORA Update – ESAs consult on first batch of standards

In brief

The EU's Digital Operational Resilience Act (DORA) aims to promote, improve and ensure operational resilience within the financial services sector. It comes into effect on 17 January 2025. Last month, six months into the two-year implementation period, the European Supervisory Authorities (ESAs) published a consultation package regarding the first batch of certain draft regulatory technical standards (RTS) and draft implementing technical standards (ITS) on certain aspects of DORA.


In more detail

The package includes:

  • Draft RTS on the risk management framework that financial institutions (FIs) are required to introduce.
    • If finalised, this RTS would require FIs to ensure that their ICT policies, including information security policies, are embedded into the FI's ICT risk management framework.
    • Additionally, FIs would need to ensure that there are proper governance measures and reporting lines in place to enable the FI's management body to properly oversee and supervise the FI's risk management framework.
    • Furthermore, the FI will need to ensure that the risk management framework and the various policies that form the framework should be made with a view to protecting network and data security, and guaranteeing an accurate and prompt data transmission without major disruptions and undue delay.
  • Draft RTS regarding the classification of ICT-related incidents.
    • The draft RTS provides an indication as to how FIs will be required to classify incidents as major. This will involve a two-staged test focused on primary and secondary criteria.
    • Under the present draft, the primary criteria include: (i) clients, financial counterparts and transactions; (ii) data losses; and (iii) critical services affected. The other criterion that is specified in Art. 18 of DORA would be treated as a secondary criterion, on the basis that, in the ESAs' view, these are ancillary to the primary factors. Each factor will have its own classification thresholds – these are effectively a threshold that the incident will need to meet in order for the criterion to apply.
    • The ESAs have proposed to classify incidents as major if the classification thresholds of at least two primary criteria have been met, or at least three secondary criteria are met.
    • It should be noted that different criteria have different materiality thresholds. As such, it could be quite an extensive process to identify whether an ICT-related incident is material or not, as each different criterion will need to be assessed against its own materiality threshold.
  • Draft RTS specifying the content of the policy relating to the contractual arrangements on the use of ICT services supporting critical or important functions. 
    • The draft RTS sets out requirements for the policy that FIs are required to have in place under Art. 28(2) of DORA.
    • Broadly, the policy would require FIs to introduce certain governance arrangements, carry out risk assessments and carry out due diligence into third-party ICT providers. The draft RTS sets out the ESAs' current expectations in relation to these obligations.
    • The ESAs propose to treat third-party services providers and ICT intragroup service providers in the same way. In the ESAs' view the requirements applicable to both types of providers are similar, even if the specific risks are different.
  • Draft ITS to establish the register of third-party ICT services.
    • This draft ITS provides the current draft templates on the register of information that FIs are required to keep on third-party ICT services under Art. 28(3) of DORA.
    • Broadly, the information required to be registered includes details on the FI maintaining the register, the contractual arrangements in place, details on the third-party services provider, details on whether alternative services are available, and classification of the relevant services. Generally, the information contained within the register aligns with what we would expect to see included under Art. 28(3). 

The deadline for responses to this consultation package is 11 September 2023. The ESAs have made clear that all responses will be published unless requested otherwise. Following this, the final versions of these RTS and ITS are expected to be published in January 2024. 

The next stage after this will be for the ESAs to consult on the second batch of RTS, including:

  • Guidelines on how losses caused by major ICT incidents should be estimated
  • How major ICT incidents are to be reported to relevant regulators
  • Specifications for the threat-led penetration testing that FIs are required to carry out as part of their operational resilience obligations
  • Subcontracting ICT services that support critical functions and documents relating to the direct oversight regime for critical ICT third-party providers (CTPPs)

Other relevant developments

The ESAs have also previously consulted on the direct oversight regime for CTPPs, focused on both the CTPP assessment criteria and the fees CTPPs are required to pay. This discussion paper suggested that the ESAs' assessment of CTPPs will be through a two-stage test. Step one proposed indicators of a quantitative nature, which are to be assessed against minimum thresholds. Step two used indicators of a qualitative nature, which were designed to allow for a more granular assessment of the ICT provider. Only those providers which pass stage one would move onto stage two.

Step one factors vary between the different Art. 31(2) assessment criteria, but broadly include the number of financial entities served, the number of systemically important financial entities served, and the number of critical or important functions supported. Certain de minimis thresholds are set, below which ICT firms will not be caught by the CTPP designation. Many of these de minimis thresholds are set at 10% or less of the total value of assets/total assets equivalent per type of financial entity within the EU.

The de minimis thresholds indicate that a fair number of ICT providers would not amount to a CTPP, which aligns with the legislative intentions behind the direct oversight regime (i.e., to ensure that only the most systemic and important of ICT providers were subject to direct regulatory oversight).

The discussion paper also considered the amount of fees that CTPPs should pay as part of the direct oversight regime, which are designed to enable the ESAs recover the costs of operating the direct oversight regime. The ESAs have estimated that DORA oversight expenditure will amount to at least EUR 693,000 in 2025, EUR 2,553,000 in 2026 and EUR 2,683,000 in 2027 – but the discussion paper further indicated that these amounts are likely to be an underestimate as not all relevant tasks have been identified.

Art. 43 of DORA makes it clear that the amount a CTPP should pay will be based on their turnover. The ESAs have noted that they will need access to accounts within applicable deadlines to calculate the specific fees for each CTPP - but they expect that this will be manageable for CTPPs as they should be, in the ESAs' view "well-established companies". The ESAs also proposed that revenues generated by "all services" of the CTPPs should be considered in-scope when determining the oversight fee, but with a limitation to just EU based activities (including services provided into the EU from a third country). This is due to the risk that CTPPs will not have a harmonised approach on the definition of revenue.

To calculate the amount of fees, the ESAs propose using applicable turnover of the relevant CTPP divided by the total applicable turnover of all CTPPs, with a minimum fee fixed at EUR 50,000 to ensure that all CTPPs effectively pay, what the ESAs consider to be, their fair share. Payments are proposed to be collected once a year by the end of April each year to be invoiced and paid in Euros.

The deadline for responses expired in June. It is expected that the feedback to this discussion paper will form a part of the technical advice that the ESAs are required to submit to the European Commission in September 2023.

If you are a financial institution and would like assistance with ensuring your firm is compliant with DORA before the implementation window expires, our experts stand ready to help. Likewise, if you are an ICT provider and you want to understand what DORA means for you, or you are concerned that you could be deemed a 'critical' provider and be directly subject to financial services regulation, we can help you carry out a DORA impact assessment. Please contact our DORA leads above for further assistance.

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.