In early December 2023, the European Supervisory Authorities (EBA, EIOPA and ESMA - together the ESAs) published a consultation on the second batch of policy products under the Digital Operational Resilience Act (DORA). This batch of technical standards includes subcontractors, threat led penetration testing and incident reporting and incident costs. We responded to the consultation on March 4.
Again far-reaching obligations with limited room for proportionality
In the response to the first batch of level-2 texts, we expressed concerns about the limited application of the general principle of proportionality as contained in DORA itself. Even in the second batch of policy documents, there appears to be limited scope for the application of proportionality. For example, the timelines of incident reporting have been looked to the NIS2 regulation. This means that the tight timelines for comprehensive reporting also apply to entities that are not in scope of that regulation, while the ESAs have been given the explicit possibility in their mandate to take into account different types of companies. Also with regard to the obligations included in relation to subcontractors , the possibility of applying the proportionality principle seems limited. Thus, while the first article of the RTS contains a list of elements that may lead to increased or decreased risk when using subcontractors, the impact of that analysis on the application of the obligations contained in the RTS is limited.
Regulatory burden and costs
The consulted policy documents entail far-reaching obligations, such as providing complex incident and incident cost reporting, monitoring subcontractors , and conductingthreat led penetration testing. Although the ESAs estimate (e.g. in the RTS commentary on subcontractors) that the cost of implementation is small, the extensive requirements and the limited application of the proportionality principle will lead to a significant increase in workload and thus costs.
