Financial Regulatory Standards: ICT Risk Management & DORA

Alessandro Micagni
On June 20th, 2023

The ESAs are drafting regulations to harmonize ICT risk management in finance, responding to the EU's digital resilience regulation. The new standards aim to boost security, prevent data misuse, and improve data transmission.

Financial Regulatory Standards: ICT Risk Management
EU Digital Operational Resilience Act

Digital Operational Resilience in the Financial Sector through Regulatory Standards

Source: European Banking Authority Keywords Risk management digital operational resilience,

The European Supervisory Authorities (ESAs) are developing draft regulatory technical standards (RTS) to further harmonize ICT risk management tools, methods, processes, and policies in the financial sector. This comes as a response to the mandate under the Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA). The proposed RTS aims to enhance the security of networks, enable adequate safeguards against intrusions and data misuse, preserve the availability, authenticity, integrity, and confidentiality of data, and guarantee accurate and prompt data transmission without major disruptions and undue delays. The draft RTS is divided into two titles, with the first addressing digital operational resilience requirements for financial entities, and the second focusing on a simplified ICT risk management framework for certain financial entities. The ESAs will consider feedback from the consultation process to ensure that the requirements are clear, proportionate, and effective in improving digital operational resilience across the financial sector.



Regulatory Standards for Enhanced DORA: Compliance Considerations for Financial Entities


The European Supervisory Authorities (ESAs) are currently developing draft regulatory technical standards (RTS) to enhance digital operational resilience in the financial sector. This initiative is a response to the Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA). The draft RTS aims to harmonize ICT risk management tools, methods, processes, and policies across the financial sector in the European Union.

The proposed RTS has significant implications for financial entities, regulators, and the industry as a whole. Let's explore the key connections and insights:


  • Harmonized Approach: The harmonization of ICT risk management practices through the RTS will create a consistent approach to digital operational resilience across the financial sector. Financial entities will benefit from a standardized framework that enables better understanding of their risk exposure and the implementation of more effective risk management strategies. This will facilitate cross-border cooperation and information sharing among regulators, ultimately improving overall cybersecurity and risk mitigation efforts.

  • Enhanced Security Measures: The draft RTS aims to enhance network security, safeguard against intrusions and data misuse, and ensure the availability, authenticity, integrity, and confidentiality of data. Financial entities will need to review and potentially upgrade their ICT risk management practices, tools, and policies to comply with the proposed requirements. Implementing robust security measures such as firewalls, intrusion detection systems, and data encryption will be essential to proactively address potential cyber threats and disruptions.

  • Proactive Risk Mitigation: The proposal will encourage financial entities to adopt a proactive and integrated approach to risk management by incorporating digital operational resilience into their overall business strategy and operations. This means understanding and managing risk exposure, making informed decisions about risk acceptance and mitigation, and implementing appropriate measures to ensure the overall security and resilience of their operations. Compliance with the RTS will help financial entities better prepare for potential cyber threats, reducing the likelihood of systemic failures and financial crises.

  • Innovation and Investment: The regulation will drive innovation and investment in cybersecurity solutions and technologies. As financial entities are required to adhere to more stringent digital operational resilience standards, there will be an increased demand for advanced cybersecurity tools and solutions. This demand will spur investment and innovation in the cybersecurity industry, benefiting both financial entities and consumers.

  • Compliance and Timeline: Financial entities must prepare for compliance with the RTS within a reasonable timeframe determined by the ESAs. The exact timeline will depend on the finalization of the regulatory technical standards and subsequent adoption by the European Union. Financial entities should proactively review their current ICT risk management practices, identify gaps, and implement necessary changes to ensure compliance. This may include conducting vulnerability assessments, penetration testing, and providing relevant training and awareness programs to employees.



Read More

19/06/2023 - ESAs Joint Committee consultation on Technical Standards under DORA - European Banking Authority
The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) launched today a public consultation on the first batch of policy products under the Digital Operational Resilience Act (DORA). This includes four draft regulatory technical standards (RTS) and one set of draft implementing techni…
European Banking Authority



Grand is Live

Check out our GPT4 powered GRC Platform

Sign up Free

Reduce your
compliance risks

Sign Up Free Request Demo