What are DORA Commission Delegated Regulations?

The text of the DORA regulation is pretty lengthy, but nevertheless it doesn’t specify all the requirements — it has prescribed that certain details will be further specified in Commission Delegated Regulations (CDRs).

Commission Delegated Regulations (CDRs) specify in more detail certain rules on how DORA will be applied, and can be considered as its appendices.

Commission Delegated Regulations are regulatory technical standards published by the EU Commission that further specify certain rules for DORA — they can be considered as appendices to DORA. Such CDRs are proposed by European Supervisory Authorities, and then published by the EU Commission.

What are DORA Commission Delegated Regulations? - Advisera

Which DORA CDRs have been published?

At the time this article was written, the following CDRs were published:

What are DORA CDRs (Commission Delegated Regulations)?

Explanation of DORA CDRs

Let’s analyze each of these CDRs in more detail:

CDR 2024/1502 – The criteria for the designation of ICT third-party service providers as critical for financial entities specifies:

  • European Supervisory Authorities must use a set of criteria to decide whether an ICT third-party service provider is critical.
  • Those criteria include: systemic impact, systemic character and importance, criticality or importance of the functions, and degree of sustainability.

See also: Which IT companies need to comply with DORA, and how?

CDR 2024/1505 – The amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid specifies:

  • Lead Overseers must calculate the oversight fees based on their overall cost of supervision.
  • The minimum annual oversight fee is €50,000 per critical ICT third-party service provider.
  • Oversight fees are paid once a year.

CDR 2024/1772 – The criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents specifies:

  • Financial entities need to take into account various aspects of an incident when deciding if it is a major incident.
  • Those aspects include: number of clients affected, number of financial counterparts affected, amount of transactions affected, reputational impact, duration and service downtime, geographical spread, data losses, criticality of services affected, and economic impact.
  • Financial entities must classify threats, and decide if threats are significant based on several criteria.

CDR 2024/1773 – Regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers specifies:

  • When creating the policy for contractual arrangements on the use of ICT services, financial entities must take into account overall risk profile and complexity, and include several elements in the policy.
  • Elements that must be included in the policy are: governance arrangements, life cycle for the adoption and use of contractual arrangements, risk assessment, due diligence, conflicts of interest, contractual clauses, monitoring of the contractual arrangements, and exit from and termination of the contractual arrangements.

CDR 2024/1774 – Regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework specifies:

  • A very detailed list of ICT security policies, procedures, protocols, and tools that financial entities need to establish.
  • These must cover several areas, including ICT risk management, ICT asset management, encryption and cryptography, ICT operations security, network security, ICT project and change management, physical and environmental security, human resources policy, identity management, access control, ICT-related incident detection and response, ICT business continuity management, and report on the ICT risk management framework review.
  • The CDR specifies separate rules for a simplified ICT risk management framework.

Upcoming CDRs

Here are some of the CDRs that are in the process of being published:

  • Technical standards on major incident reporting
  • Guidelines on oversight cooperation
  • Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents
  • Regulatory technical standards on the harmonization of conditions enabling the execution of the oversight activities
  • Regulatory technical standards specifying elements related to threat-led penetration tests
  • Regulatory technical standards on the criteria for determining the composition of the joint examination team
  • Regulatory technical standards on subcontracting ICT services supporting critical or important functions under DORA

So, as you can see, DORA in itself is already pretty specific when it comes to cybersecurity rules, but together with these CDRs it becomes very demanding with regard to how cybersecurity needs to be implemented.

For more information about DORA, download this free white paper: Comprehensive guide to the DORA Regulation.

Advisera Dejan Kosutic

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic