Search a question

Subject Matter
Size Thresholds for Self-Managed AIFs and UCITS
Question
We have been discussing a number of queries submitted by the local industry regarding practical difficulties when applying the definitions of micro, small and medium-sized enterprises as per Article 3 points (60), (63) and (64) of the DORA Regulation to self-managed AIFs and UCITS. We would like to obtain further clarification on the correct and proportionate interpretation of “annual turnover”, “total assets” and “employees” in the context of self-managed AIFs and UCITS.
Subject Matter
Consultas relacionadas con el reporte de incidentes
Question
Buenos días, me gustaría hacer dos consultas relacionadas con el reporte de incidentes:

En primer lugar, tras la publicación del segundo lote de RTS de DORA. En relación al RTS Final Report Draft Regulatory Technical Standards on the content of the notification and reports for major incidents and significant cyber threats and determining the time limits for reporting major incidents and Draft Implementing Technical Standards on the standard forms, templates and procedures for financial entities to report a major incident and to notify a significant cyber threats. Nos gustaría realizar dos consultas:
- Por una parte, se incluye, en el artículo 6 de los plazos de notificación para el reporte intermedio, las entidades financieras presentarán sin demora indebida un informe intermedio actualizado, en cualquier caso, cuando se hayan restablecido las actividades regulares. Por lo tanto, ¿se trata de un reporte obligatorio actualizar el informe intermedio bajo esa casuística?

- Por otro lado, en la RTS no se identifica a la autoridad competente a la que se debe de realizar los distintos reportes. En nuestro caso, España, tenemos como CSIRT de referencia INCIBE y también como autoridad competente BANCO DE ESPAÑA, ¿podríais comentarnos a quién es específico se deberían de realizar esos reportes, por favor?

En segundo lugar, aunque no se disponga de una relación estrecha con DORA, ha resultado también necesario Se elabora un informe semestral para la Autoridad Bancaria Europea (EBA) relacionado con los incidentes de ciberseguridad sufridos, con el propósito de llevar a cabo estudios estadísticos en el sector. ¿Podrías ayudarnos a confirmar si esta información es cierta y donde podríamos encontrar la referencia por favor?
Subject Matter
Consultas relacionadas con el reporte de incidentes
Question
Buenos días, me gustaría hacer dos consultas relacionadas con el reporte de incidentes:

En primer lugar, tras la publicación del segundo lote de RTS de DORA. En relación al RTS Final Report Draft Regulatory Technical Standards on the content of the notification and reports for major incidents and significant cyber threats and determining the time limits for reporting major incidents and Draft Implementing Technical Standards on the standard forms, templates and procedures for financial entities to report a major incident and to notify a significant cyber threats. Nos gustaría realizar dos consultas:
- Por una parte, se incluye, en el artículo 6 de los plazos de notificación para el reporte intermedio, las entidades financieras presentarán sin demora indebida un informe intermedio actualizado, en cualquier caso, cuando se hayan restablecido las actividades regulares. Por lo tanto, ¿se trata de un reporte obligatorio actualizar el informe intermedio bajo esa casuística?

- Por otro lado, en la RTS no se identifica a la autoridad competente a la que se debe de realizar los distintos reportes. En nuestro caso, España, tenemos como CSIRT de referencia INCIBE y también como autoridad competente BANCO DE ESPAÑA, ¿podríais comentarnos a quién es específico se deberían de realizar esos reportes, por favor?

En segundo lugar, aunque no se disponga de una relación estrecha con DORA, ha resultado también necesario Se elabora un informe semestral para la Autoridad Bancaria Europea (EBA) relacionado con los incidentes de ciberseguridad sufridos, con el propósito de llevar a cabo estudios estadísticos en el sector. ¿Podrías ayudarnos a confirmar si esta información es cierta y donde podríamos encontrar la referencia por favor?
Subject Matter
Scope of the definition of ICT services
Question
As the manager of an Alternative Investment Fund (AIF), we provide specialized investment opportunities to professional investors such as pension funds, insurers, and banks within the EU. Consequently, both our firm and our investors fall within the scope of DORA.

Our investors can access their portfolios through an online portal operated by a third-party service provider (an ICT third-party service provider). We intend to establish a DORA addendum with this ICT third-party service provider to address this specific ICT service.

Several of our investors have inquired about DORA compliance in relation to their contractual relationship with us. While we are committed to ensuring the portal itself is compliant, we believe our core service – providing investment opportunities – does not constitute an ICT service under DORA. The online portal is merely a supplementary tool for accessing reports, not a fundamental part of our contractual obligations. This view is further supported by the fact that our agreements with investors only stipulate that we provide them with reports, without specifying the method of delivery.

Given these considerations, do you agree with our assessment that our services to investors do not fall under the definition of an ICT service as per DORA and that we, in respect of our investors, cannot be considered an ICT third-party service provider?
Subject Matter
Questions on Microenterprises and RMF
Question
QUESTION 1: Internal Audit Frequency for Microenterprises and financial entities subject to the simplified risk management framework
Recital 43 of DORA states that microenterprises and financial entities (FEs) referred to in Article 16(1) of DORA are not required to conduct regular internal audits of their ICT risk management framework (RMF). Does it conflict with Article 28, paragraph 5 of Commission Delegated Regulation (EU) 2024/1774 (RTS) that mandates an internal audit on the ICT RMF in line with the FE’s audit plan?

QUESTION 2: ICT Testing Requirements for Microenterprises and Financial Entities – Cyber-attack scenarios
Article 11.6 of DORA excludes microenterprises from the requirement to include cyber-attack scenarios in their ICT business continuity and recovery plan testing. Does it conflict with Article 39, paragraph 1 of the Commission Delegated Regulation (EU) 2024/1774 (RTS), which mandates the inclusion of cyber-attack scenarios in the testing plans for financial entities referred to in Article 16(1) of DORA?

QUESTION 3: Recital 43 of DORA specifies that microenterprises and financial entities referred to in Article 16(1) of DORA are not required to regularly conduct risk analyses on legacy ICT systems. Does it conflict with Article 34, paragraph 1, point (e) of the Commission Delegated Regulation (EU) 2024/1774 (RTS) which mandates that financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 must manage the risks related to outdated or unsupported and legacy ICT assets?