Mondo Visione Worldwide Financial Markets Intelligence

FTSE Mondo Visione Exchanges Index:

CCData-468x60x2.jpg BT_Radianz_468x60_Jul23 FEAS 30th Anniversary Conference

EACH Responds To ESAs’ Joint Consultation On Second Batch Of Policy Mandates Under The Digital Operational Resilience Act (DORA)

Date 05/03/2024

On Monday 4th March EACH responded to some of the ESAs’ joint consultation on second batch of policy mandates under the Digital Operational Resilience Act (DORA).  EACH Members would like to underline the following key messages:

  • Timeline for the implementation of DORA – EACH Members consider that the timeline for the implementation of DORA (which will apply from 17 January 2025) appears to be extremely challenging. EACH Members are therefore calling for an extension of such timeline in order to ensure a smooth and efficient implementation. We would expect Authorities to provide comfort to the industry accordingly as well as some prioritisation of the aspects of DORA that should be implemented first.
  • Major incident reporting – The amount of data fields to be provided in the context of the initial, intermediate and final reports seems often excessively detailed and, in some cases, potentially misleading. EACH Members have therefore put forward some proposals regarding a re-organisation of such data fields by, for instance, suggesting certain data fields to be moved from the initial reports to the intermediate one.
  • Subcontracting ICT services supporting critical or important functions – EACH Members suggest not to include in the definition of ‘subcontracting’ those cases where ICT services supporting critical or important functions are provided from the parent company to a subsidiary or the reverse. Furthermore, we consider that monitoring subcontracting conditions through the review of contractual documentation between ICT third-party service providers and subcontractors is unrealistic.
  • Elements related to TLPT – EACH overall agrees with the approach proposed in the consultation document (cross-sectoral, proportional, two-layered). We would nevertheless suggest that external testers and threat intelligence providers should prove their experience not only in TLPT, but also in TLPT in the financial sector. In addition, to avoid high costs and unnecessary burden to the financial entity for preparing and managing the tests and to recognize the above specific situation and requirements, financial entities should be allowed to rely on TLPT that are performed by ICT third-party service providers.

 

For more information, please visit our website www.eachccp.eu

MV 120 X 600 Hard to Reach BT_Radianz_120x600_Jul23.jpg FEAS_2025_MondioVisione_120x600-banner