On the 17th of January 2024, the European Supervisory Authorities EBA, ESMA and EIOPA (the ESAs) published a set of four new final draft regulatory technical standards (RTS) on regulation (EU) 2022/2554; the Digital Operational Resilience Act (DORA). It concerns:
- RTS on criteria for the classification of ICT-related incidents and threats;
- RTS on ICT risk management framework and on simplified ICT risk management framework;
- RTS to specify the policy on ICT services supporting critical or important functions provided by ICT third-party service providers (TPPs); and
- RTS to establish the templates for the register of information.
In this blog, we provide a key points summary of each draft RTS and we visualize the classification of a ‘major incident’ and a ‘significant cyber threat’.
1. RTS on classification as a ‘major incident’ and ‘significant cyber threat’
DORA distinguishes ‘major ICT-related incidents’ and ‘major operational or security payment-related incidents’ (major incidents). According to Article 3 (definitions) DORA, a ‘major ICT-related incident’ is an ICT-related incident that has a high adverse impact on the network and information systems…
