DORA Regulation: ICT Third Party Service Provider Registers

The European Insurance and Occupational Pensions Authority (EIOPA) made a major announcement on April 11, 2024, about the upcoming implementation of legislation pertaining to financial companies' usage of ICT third-party service providers. According to this news release, the European Supervisory Authorities (ESAs) will start a voluntary initiative in May to gather information about the contractual agreements these third-party providers have with these entities. The exercise was created in accordance with the ESAs' final draft Implementing Standards.

The ESAs were to assist participating financial companies with building their information registers, testing the reporting process, resolving issues with data quality, and improving internal procedures associated with the registers. The Digital Operational Resilience Act (DORA) regulations, which are expected to take effect in 2025, were greatly aided by these preparations. Financial organizations would have to keep records of information on how they use third-party ICT suppliers in accordance with DORA.

Information would be gathered from financial entities via the relevant Member State competent authorities (NCAs) during the dry run exercise, helping to lay the foundation required for the eventual implementation and reporting of information registers under DORA. With relation to the impending regulatory requirements, this project represented a proactive move in assuring compliance and operational readiness within the financial sector.

Source

[1]

DORA Regulation: ESMA on ICT Risk Management

The ESMA’s strategic realignment, in line with the DORA Regulation, marks a pivotal shift in the EU financial sector, focusing on cyber risk and digital resilience. This move signifies a proactive approach to ensuring market stability and sustainability.

GrandAlessandro Micagni

Aligning ICT Risk Management: Draft RTS Overview

The draft Regulatory Technical Standards (RTS) are intended to provide comprehensive guidance for the management of Information and Communication Technology (ICT) risks in the banking sector under the Digital Operational Resilience Act (DORA) regulation. Important details of the ICT risk management framework and its streamlined version are outlined in this overview.

• Harmonization Objective: To ensure uniformity and efficacy, the draft RTS aims to harmonize ICT risk management technologies, methodologies, processes, and policies throughout different financial firms.

• Comprehensive Requirements: The RTS requires the implementation of twenty policies and procedures addressing important topics like physical security, human resources, identity management, access control, incident management, business continuity, encryption, project management, and the acquisition and maintenance of ICT systems.

• Simplified Framework: The RTS describes a simplified ICT risk management framework in recognition of the differences among financial firms, particularly those operating under a simplified regime or with lesser scale, risk, size, and complexity. This framework outlines crucial components that are adapted to each entities' particular requirements, making it easier to comply with regulatory requirements.

• Harmonization Across Sectors: The RTS seeks to standardize ICT risk management requirements throughout various financial sectors by establishing similar standards and best practices. This promotes uniformity, interoperability, and resilience in the financial ecosystem's response to ICT-related challenges

Developing Incident Classification Standards: Final RTS Synopsis

The final draft of the Regulatory Technical Standards (RTS) provides criteria for categorizing ICT-related incidents in the financial industry in accordance with the Digital Operational Resilience Act (DORA) regulation. The primary regulatory modifications intended to improve information exchange and standardize incident classification procedures among Member State competent authorities (NCAs) are highlighted in this overview.

Main regulatory changes:

• Classification Criteria: Clearly outlining the elements to take into account when judging the effect and severity of incidents, the final draft RTS establishes classification criteria for major ICT-related incidents.

• Method for Classification: It provides a framework for classifying significant events, guaranteeing uniformity and consistency in the evaluation and classification of ICT-related occurrences throughout the financial industry.

• Materiality Thresholds: The RTS provides precise rules for determining the importance of incidents based on predetermined thresholds by defining materiality thresholds for each classification criterion.

• Determining major Cyber dangers: In addition, the RTS establishes materiality levels and criteria for recognizing major cyber dangers, which helps financial institutions to effectively prioritize and address new threats.

• Information Sharing: The RTS outlines the parameters by which NCAs evaluate whether an event is pertinent to another NCA and outlines the specifics of the incident data that must be exchanged amongst them. This makes it easier to collaborate and communicate during incident response activities.

• Harmonized Process: Lastly, the RTS creates a uniform system for categorizing incident reports across the financial industry, encouraging uniformity and coherence in incident handling procedures.

Improving ICT Third-Party Service Provider Governance: Draft RTS Summary

The policies and guidelines pertaining to the usage of ICT third-party service providers supporting crucial or significant functions within the financial sector are outlined in the draft Regulatory Technical Standards (RTS). In order to guarantee that financial institutions retain control over operational risks, information security, and business continuity throughout the contractual lifespan, these provisions concentrate on governance structures, risk management, and internal control frameworks.

Key provisions:

• Governance Structures: The RTS outlines the governance structures that financial organizations need to set up in relation to using third-party ICT service providers. As part of this, internal roles for contract approval, management, control, and documentation are assigned.

• Risk management: When using third-party ICT service providers, financial firms must put strong risk management procedures in place. This entails evaluating and reducing the operational risks related to outsourcing crucial or significant tasks.

• Internal Control Framework: To oversee and guarantee adherence to the rules and agreements governing ICT third-party service providers, the RTS requires the creation of an internal control framework. Information security and operational resilience are dependent on this structure.

• Group-Level Arrangements: To guarantee uniform policy execution among subsidiaries, the RTS places obligations on parent companies in the EU or Member States at the group level. This guarantees that the RTS is used effectively throughout the organization at all pertinent levels.

The overall goal of these regulations is to strengthen oversight and control over the use of ICT third-party service providers, protecting the vital operations and functions of financial entities and ensuring their stability and integrity.

Creating Uniformity: Information Templates Final ITS for

Register

Templates for the information register are included in the final draft of the Implementing Technical Standards (ITS). This is an important part of regulatory compliance with regard to contracts between financial institutions and ICT third-party service providers. This register acts as an extensive data base that describes the specifics of these agreements and makes efficient monitoring and risk control possible.

The creation of these templates, which are painstakingly crafted to collect crucial information pertaining to contractual agreements, is the foundation of the ITS. They cover a variety of aspects of the agreement, such as the conditions of the service provided, the contractual obligations, the risk management procedures, and other relevant data that is essential for oversight and governance.

The relational structure of the information register, which consists of linked tables connected by unique keys, is fundamental to its design. By efficiently organizing and retrieving data, this relational approach improves usability and accessibility for regulatory purposes.

Reporting Practices: The Key Role of Draft ITS

The draft ITS proposes a universal collection of templates that may be used by all financial companies, groups, and sub-groups. This is one of its standout features. This uniform method encourages uniformity in reporting procedures, streamlining efforts to comply with regulations throughout the financial industry and enabling information harmonization and comparability.

By creating uniform reporting guidelines, the ITS also seeks to expedite regulatory assessment and supervision procedures. It promotes efficiency and efficacy in regulatory compliance by offering precise standards and templates, which eventually improves governance and transparency in contractual agreements with ICT third-party service providers.

All things considered, the implementation of these ITS is a big step in the direction of standardizing reporting procedures and encouraging openness in the contractual relationship management of the financial sector.