ICT risk management framework and Regulatory Technical Standards on simplified ICT risk management framework;
Regulatory Technical Standards (RTS) is a regulatory guidance established by the European Parliament and the Council under the digital operational resilience management regulation (DORA). It aims to integrate risk management tools, methods, processes and policies in the field of Information and Communication Technologies (ICT).
This draft is established pursuant to DORA 2022/2554 of the European Parliament and of the Council of 14 December 2022. The European Supervisory Authorities (ESAs) have prepared this draft regulatory technical standards (RTS) in order to harmonise the ICT risk management tools, methods, processes and policies of organisations in the financial sector.
These regulatory standards are important for both large and small enterprises. More specifically, we can analyse risk management practices in the ICT field as follows.
General Evaluation
During the public consultation process organised between June-September 2023, 120 feedbacks were received and evaluated in detail. In line with the comments received, some changes were made to the draft RTS.
These changes include clarifications on the principle of proportionality and risk-based approaches, network security, encryption, access control and business continuity. Furthermore, as the specific requirements for cloud computing are controversial, technology-specific requirements have been avoided and requirements for general ICT assets and service providers have been set.
The main changes to the RTS draft are as follows:
Proportionality and Risk Based Approach: In line with the feedback, governance and information security awareness items were removed from the general order requirements, and clarifications were made on network security, encryption, access control and business continuity.
Cloud Computing: Specific requirements for cloud computing were considered controversial and were avoided in favour of technology neutrality. Instead, the services provided by ICT third party service providers are discussed in general.
Evaluation of Feedback: Public feedback was evaluated and the changes deemed appropriate were reflected in the draft RTS.
General Principles of Regulatory Technical Standards
The draft RTS contains a number of sections covering generic elements such as ICT security policies, procedures, protocols and tools. These elements are intended to enable financial institutions to effectively manage ICT risks. The RTS adopts a technology neutral approach, giving financial institutions the flexibility to choose and implement risk management measures. It also provides a simplified roadmap for small financial institutions, taking into account their limited resources and capabilities.
ICT Risk Management and Business Continuity Management
The draft RTS contains detailed regulations on specific topics such as ICT asset management, encryption and cryptography, ICT operations security, network security, project and change management. These regulations aim to help financial institutions manage ICT risks and increase their digital operational resilience. As for business continuity management, business continuity plans should be tested annually and the results of these tests should be reported to the board of directors.
The draft RTS provides comprehensive and detailed regulations aimed at increasing the level of digital operational resilience of the financial sector. Amendments made in line with public feedback have made the draft more applicable and flexible. The draft RTS aims to help financial institutions effectively manage their ICT risks and increase their digital operational resilience. For more information on this topic, please contact us at info@cfecert.co.uk.
