Ireland: Digital Operational Resilience Act – Second Batch Of Technical Standards Launched For Consultation

The European Supervisory Authorities (ESAs) have launched a public consultation on the second batch of draft technical standards under the Digital Operational Resilience Act (DORA).

This follows the first batch of draft technical standards, which were launched for consultation in June 2023, which we discussed here.

Second Batch

On 8 December 2023, the ESAs launched the second batch of technical standards for public consultation. This package includes four sets of Regulatory Technical Standards (RTS), one set of Implementing Technical Standards (ITS) and two sets of guidelines (GL) in the areas of ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management and oversight over critical ICT third-party providers. Namely, the batch consists of:

• RTS and ITS on content, timelines and templates for incident reporting;
• GL on aggregated costs and losses from major incidents;
• RTS on subcontracting of critical or important functions;
• RTS on oversight harmonisation;
• GL on oversight cooperation between ESAs and competent authorities;
• RTS on threat-led penetration testing (TLPT)

In our view, the most important standards to be reviewed relate to the incident reporting, the subcontracting of critical or important functions, and the threat-led penetration testing as each of those standards will have a direct impact on how compliance with DORA is achieved. For example, within the new RTS on the subcontracting of critical or important functions, new mandatory contractual provisions are being proposed in Article 4 in relation to critical or important function arrangements. A number of these provisions are very similar to those already provided for in outsourcing, cyber security and operational risk guidelines published by the Central Bank of Ireland, the EBA and EIOPA.

Interested stakeholders may submit comments on the second batch before 4 March 2024. Based on the feedback that the ESA received in the public consultation, the standards will be finalised and submitted to the European Commission by 17 July 2024. This is exactly six months before DORA will become directly effective across the EU, on 17 January 2025.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.