FIA and FIA EPTA have submitted responses to three consultations issued by the European Supervisory Authorities on the second batch of policy products under the EU Digital Operational Resilience Act (DORA).
The consultations cover regulatory technical standards on the subcontracting of information and communication technology (ICT) services, content, timelines and templates for incident reporting, and threat-led penetration testing.
In the responses, the associations advocate for a balanced and outcomes-based approach that will allow financial entities to effectively manage supply chain risks and leverage contractual frameworks and third-party expertise while remaining ultimately accountable for assessing and monitoring the risks associated with the ICT subcontracting chain.
They also recommend that the ESAs consider reducing the reporting burden on financial entities in key stages of the reporting process, to ensure financial entities are able to direct critical resources to address major ICT-related incidents.
Read the responses here:
FIA response to RTS and ITS on content timelines and templates on incident reporting
FIA response to RTS on subcontracting ICT services
FIA response to RTS on threat-led penetration testing (TLPT)