European Union: Drafted Regulatory Technical Standard to further harmonise ICT risk management tools, methods, processes and policies as mandated under DORA

On 10 January 2024, the three European Supervisory Authorities (EBA, EIOPA and ESMA) published a draft Regulatory Technical Standard to further harmonise ICT risk management tools, methods, processes and policies as mandated under DORA. The draft standard on ICT risk management framework aims to align practices across financial entities subject to simplified regulation, with regards to critical functions, governance arrangements, lifecycle phases, risk assessment, due diligence, conflict of interests, contractual clauses, and monitoring. The draft RTS aims to address the increasing complexity and frequency of ICT-related incidents in the financial sector by establishing a common risk framework while recognising the diversity of financial entities' size and risk profiles. It would introduce requirements for ICT risk management and a simplified framework under DORA, promoting cybersecurity resilience across all entities. The draft RTS adopts a technology-neutral approach, a principle-based and objective-focused approach, and recognises proportionality in implementation, ensuring effectiveness while minimising burdens on financial entities and supervisors. The European Commission will review the drafted technical standard with the aim of adopting it.