The text of the DORA regulation is pretty lengthy, but nevertheless it doesn’t specify all the requirements — it has prescribed that certain details will be further specified in Commission Delegated Regulations (CDRs).
Commission Delegated Regulations (CDRs) specify in more detail certain rules on how DORA will be applied, and can be considered as its appendices.
Commission Delegated Regulations are regulatory technical standards published by the EU Commission that further specify certain rules for DORA — they can be considered as appendices to DORA. Such CDRs are proposed by European Supervisory Authorities, and then published by the EU Commission.
Which DORA CDRs have been published?
At the time this article was written, the following CDRs were published:
- CDR 2024/1502 – The criteria for the designation of ICT third-party service providers as critical for financial entities — related to DORA Article 31
- CDR 2024/1505 – The amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid — related to DORA Article 43
- CDR 2024/1772 – The criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents — related to DORA Article 18
- CDR 2024/1773 – Regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers — related to DORA Article 28
- CDR 2024/1774 – Regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework — related to DORA Article 15 and Article 16
Explanation of DORA CDRs
Let’s analyze each of these CDRs in more detail:
CDR 2024/1502 – The criteria for the designation of ICT third-party service providers as critical for financial entities specifies:
- European Supervisory Authorities must use a set of criteria to decide whether an ICT third-party service provider is critical.
- Those criteria include: systemic impact, systemic character and importance, criticality or importance of the functions, and degree of sustainability.
See also: Which IT companies need to comply with DORA, and how?
CDR 2024/1505 – The amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid specifies:
- Lead Overseers must calculate the oversight fees based on their overall cost of supervision.
- The minimum annual oversight fee is €50,000 per critical ICT third-party service provider.
- Oversight fees are paid once a year.
CDR 2024/1772 – The criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents specifies:
- Financial entities need to take into account various aspects of an incident when deciding if it is a major incident.
- Those aspects include: number of clients affected, number of financial counterparts affected, amount of transactions affected, reputational impact, duration and service downtime, geographical spread, data losses, criticality of services affected, and economic impact.
- Financial entities must classify threats, and decide if threats are significant based on several criteria.
CDR 2024/1773 – Regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers specifies:
- When creating the policy for contractual arrangements on the use of ICT services, financial entities must take into account overall risk profile and complexity, and include several elements in the policy.
- Elements that must be included in the policy are: governance arrangements, life cycle for the adoption and use of contractual arrangements, risk assessment, due diligence, conflicts of interest, contractual clauses, monitoring of the contractual arrangements, and exit from and termination of the contractual arrangements.
CDR 2024/1774 – Regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework specifies:
- A very detailed list of ICT security policies, procedures, protocols, and tools that financial entities need to establish.
- These must cover several areas, including ICT risk management, ICT asset management, encryption and cryptography, ICT operations security, network security, ICT project and change management, physical and environmental security, human resources policy, identity management, access control, ICT-related incident detection and response, ICT business continuity management, and report on the ICT risk management framework review.
- The CDR specifies separate rules for a simplified ICT risk management framework.
Upcoming CDRs
Here are some of the CDRs that are in the process of being published:
- Technical standards on major incident reporting
- Guidelines on oversight cooperation
- Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents
- Regulatory technical standards on the harmonization of conditions enabling the execution of the oversight activities
- Regulatory technical standards specifying elements related to threat-led penetration tests
- Regulatory technical standards on the criteria for determining the composition of the joint examination team
- Regulatory technical standards on subcontracting ICT services supporting critical or important functions under DORA
So, as you can see, DORA in itself is already pretty specific when it comes to cybersecurity rules, but together with these CDRs it becomes very demanding with regard to how cybersecurity needs to be implemented.
For more information about DORA, download this free white paper: Comprehensive guide to the DORA Regulation.