INFORMATION TECHNOLOGY
EU Commission Delegated Regulations implementing certain obligations of the DORA Regulation published in the Official Journal of the EU.
The following delegated acts implementing EU Regulation 2022/2554 on digital operational resilience (DORA Regulation) have been published in the Official Journal of the European Union:
The delegated regulations will enter into force on 15 July 2024, be mandatory in all their elements and directly applicable.
Many financial, banking and insurance entities required - as of 17 January 2025 - to implement EU Regulation 2022/2554 on Digital Operational Resilience (DORA Regulation) are required to review many internal management policies. For example, Chapter V with only three articles (28-30) redesigns and profoundly impacts the procedures for selecting and qualifying ICT suppliers and the very structure of contracts with third-party ICT suppliers and their lifecycle. Moreover, the DORA Regulation obliges to update roles, organisational charts and directives to personnel, impacts training plans - to be diversified according to management or non-management role - rewrites the responsibilities of statutory auditors and, above all, places the management body at the centre of the responsibility system. The publication in the Official Journal - last 25 June - of the above-mentioned delegated acts of the EU Commission (among other things, the overall framework, including DORA, Regulatory Technical Standard - RTS between January and July 2024 and delegated acts of extraordinary complexity and articulation) confirms the need to coordinate DORA requirements with other existing policies. The deep intertwining between the DORA Regulation and the GDPR, for example: not only does the DORA Regulation insist on obligations to ensure 'authenticity, integrity, confidentiality and availability' of both personal and non-personal data, but the same delegated acts now published regulate the impact of DORA fulfilments on GDPR compliance policies already in place. For example, Delegated Regulation (EU) 2024/1772 on criteria for classifying IT incidents sets out the relationship with GDPR data breach notification in the event of an incident; or the Delegated Regulation (EU) 2024//1773 on the policy for the provision of ICT services by third parties in support of 'essential or important functions' reminds that in case the provider is also an external Data Protection Officer under the GDPR, the data protection requirements are to be included in the policy, which (see e.g. Art. 5, paragraph 3, letter (e) of the GDPR) must also include a specific preliminary risk assessment on the provider with regard to "risks related to the protection of confidential or personal data" (an assessment that also the Guidelines of the European Data Protection Board no. 7/2020 on the concept of controller and processor require to be carried out on the external provider-processor).
- Delegated Regulation (EU) 2024/1772 on criteria for the classification of cyber incidents
- Delegated Regulation (EU)2024//1773 on the policy for the provision of ICT services by third parties in support of essential or important functions
- Delegated Regulation (EU) 2024/1774 on IT risk management tools, methods, processes and policies
The delegated regulations will enter into force on 15 July 2024, be mandatory in all their elements and directly applicable.
Many financial, banking and insurance entities required - as of 17 January 2025 - to implement EU Regulation 2022/2554 on Digital Operational Resilience (DORA Regulation) are required to review many internal management policies. For example, Chapter V with only three articles (28-30) redesigns and profoundly impacts the procedures for selecting and qualifying ICT suppliers and the very structure of contracts with third-party ICT suppliers and their lifecycle. Moreover, the DORA Regulation obliges to update roles, organisational charts and directives to personnel, impacts training plans - to be diversified according to management or non-management role - rewrites the responsibilities of statutory auditors and, above all, places the management body at the centre of the responsibility system. The publication in the Official Journal - last 25 June - of the above-mentioned delegated acts of the EU Commission (among other things, the overall framework, including DORA, Regulatory Technical Standard - RTS between January and July 2024 and delegated acts of extraordinary complexity and articulation) confirms the need to coordinate DORA requirements with other existing policies. The deep intertwining between the DORA Regulation and the GDPR, for example: not only does the DORA Regulation insist on obligations to ensure 'authenticity, integrity, confidentiality and availability' of both personal and non-personal data, but the same delegated acts now published regulate the impact of DORA fulfilments on GDPR compliance policies already in place. For example, Delegated Regulation (EU) 2024/1772 on criteria for classifying IT incidents sets out the relationship with GDPR data breach notification in the event of an incident; or the Delegated Regulation (EU) 2024//1773 on the policy for the provision of ICT services by third parties in support of 'essential or important functions' reminds that in case the provider is also an external Data Protection Officer under the GDPR, the data protection requirements are to be included in the policy, which (see e.g. Art. 5, paragraph 3, letter (e) of the GDPR) must also include a specific preliminary risk assessment on the provider with regard to "risks related to the protection of confidential or personal data" (an assessment that also the Guidelines of the European Data Protection Board no. 7/2020 on the concept of controller and processor require to be carried out on the external provider-processor).