European Union: Opened consultation on Regulatory Technical Standards to further harmonise ICT risk management tools, methods, processes and policies as mandated under DORA

On 13 June 2023, the European Supervisory Authorities (ESAs) published the Draft Regulatory Technical Standards to further harmonise ICT risk management tools, methods, processes, and policies as required by Articles 15 and 16(3) of Regulation (EU) 2022/2554, which will remain open until 11 September 2023. This regulation, known as DORA, focuses on digital operational resilience for the financial sector. The new standards aim to enhance the harmonisation of ICT risk management across financial entities. They mandate the establishment of a process and methodology to conduct ICT risk assessments, identifying vulnerabilities and threats that may impact business functions, ICT systems, and supporting assets. The importance of correct identification and classification of ICT and information assets, as well as strong encryption algorithms and cryptographic controls, is emphasized to reduce the risk of data breaches and unauthorized manipulation. The standards also stress the significance of ICT operations security and Network Security. Additionally, they require the implementation of business continuity policies, response and recovery plans, and thorough testing to ensure adequate response and recovery of ICT systems in case of disruptions.