Temenos responds to public consultation on second batch of draft Technical Standards under the Digital Operational Resilience Act (DORA)
Recap on DORA First Batch of Technical Standards
In our previous blog we addressed some of Temenos’ comments on the first batch of technical standards under DORA. These technical standards have now been finalized by the European Supervisory Authorities (the ESAs), and submitted to the European Commission on January 17th, 2024 for review and adoption in the following months.
DORA Second Batch of Technical Standards
On December 8th, 2023, the second batch of DORA draft regulatory and implementing standards was released, covering key areas, such as:
- Reporting of major ICT-related incidents & content and timelines
- Subcontracting of critical or important functions
- Threat-led penetration testing
- Conduct of oversight activities
The drafts were subject to a public consultation which is now closed, and the ESAs are tasked with finalizing the texts by July 17th, 2024 and submitting to the European Commission who has the delegated power to adopt them. We are proactively following the developments and will be analyzing the final versions of these standards which are expected to be published towards the end of 2024.
Temenos commentary
We identified certain areas in the proposed technical standards where we believe industry insights will bring added value, such as:
- Incident Reporting:
Initial Report: it is more appropriate for the 24-hour period for the submission of the initial report to be running from the moment the financial entity (FE) “becomes aware” of the incident, rather than the moment of “detection”. This is a more neutral approach and reflects the fact that incidents may not always be initially detected by the FE itself, for instance where certain functions have been subcontracted or outsourced to a third party. Also, this wording is better aligned with the NIS2 Directive.
Intermediate Report: this report should be submitted within 72 hours from the classification of the incident as major or when regular activities have been recovered. However, the clarification “whichever is longer” should be added, to ensure flexibility, recognizing that restoring normal business operations may extend beyond the envisaged 72-hour period.
Final Report: where an incident has not been resolved within one month from its classification as major, the final report must be submitted the following day after it has been resolved “permanently’. At the time of resolution, it is difficult to have full knowledge of whether the resolution is “permanent” or not, hence “considered to be resolved” by the FE is a preferable language to be adopted.
- Thread-led Penetration Testing (TLPT)
The participation of an ICT third-party service provider in the FE’s TLPT should be mutually discussed and agreed upon by both parties. This agreement should allow third parties to engage in TLPT activities without compromising the security of their infrastructure or other clients. Key aspects to be agreed upon between the FE and the service provider include, among others, the timing of the TLPT, the service provider’s monitoring role during testing, prohibition of DoS (denial of service) attacks, and the timely reporting of any identified security flaws to the third party.
Next steps
The DORA’s regulatory framework is a work in progress and we continue to proactively monitor the regulatory advancements, ensuring that Temenos stays informed of the latest news. We’ll share further regulatory compliance updates as the framework is approaching its finalization.