EU technical standards published for ICT incident classification, contractual arrangements policy and risk management tools | A&O Shearman

The following three regulatory technical standards supplementing the Digital Operational Resilience Act have been published in the Official Journal of the European Union:

• Delegated Regulation 2024/1772 on the criteria for classifying incidents relating to information technology and cyber threats, establishing severity thresholds and specifying details for reporting serious incidents.
• RTS Regulation specifying the detailed content of the policy on contractual arrangements for the use of ICT services supporting critical or important functions provided by external ICT service providers (Delegated Regulation 2024/1773).
• RTS specifying ICT risk management tools, methods, processes and principles and a simplified ICT risk management framework (Delegated Regulation 2024/1774).

The Delegated Regulation will enter into force on 15 July 2024, the twentieth day following its publication in the Official Journal.