Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims at strengthening the information and communication technology (ICT) security of financial entities in the remit of the 3 ESAs and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational digital disruption. DORA brings harmonisation of the rules relating to digital operational resilience for the financial sector applying to 21 different types of financial entities, of which 12 are in the remit of ESMA.
Why is DORA needed?
The financial sector is increasingly dependent on information and communication technology (ICT) tools and systems to deliver its financial services, for which they increasingly rely on ICT service providers. This may expose financial entities to potential ICT (third-party) risk because the delivery of their financial services relies on entities who are not directly supervised nor subject to the same regulatory frameworks (i.e. when the ICT service providers are not financial entities themselves).
When not managed properly, ICT risks can lead to disruptions of financial service delivery. This can have an impact on other financial entities, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.
ICT risk management
A framework setting principles and requirements on ICT risk management.
ICT third-party risk management
Mitigation of ICT third-party risk; Key contractual provisions.
Digital operational resilience testing
Operational resilience testing programme encompassing a range of tests, including advanced testing.
ICT-related incidents
Management of ICT-related incidents, and notification of major ones and of significant cyber threats to competent authorities.
Information sharing
Exchange of information and intelligence on cyber threats.
Oversight of critical third-party providers
Oversight framework for ICT third-party providers that are designated as critical by the ESAs for the financial sector.
Links to DORA Policy requirements
DORA Level 1: | |
---|---|
|
DORA Level 2-3 by topic: | |
---|---|
Risk management | Publication in Official Journal / ESAs websites |
Commission Delegated Regulation (EU) 2024/1774 with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework (DORA Art. 15 and 16) | https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1774 |
Commission Delegated Regulation (EU) 2024/1773 with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (DORA Art. 28.10) | https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1773 |
Commission Implementing Regulation (EU) 2024/2956 with regard to standard templates for the register of information (DORA Art. 28.9) | https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202402956 |
Incident reporting | Publication in Official Journal / ESAs websites |
Commission Delegated Regulation (EU) 2024/1772 with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents (DORA Art. 18.3) | https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1772 |
GL on the estimation of aggregated annual costs/losses caused by major ICT incidents (Art 11.12) | https://www.esma.europa.eu/sites/default/files/2024-07/JC_2024-34_-_Final_report_GL_on_costs_and_losses.pdf |
Oversight framework | Publication in Official Journal / ESAs websites |
GL on cooperation between ESAs and CAs regarding the structure of the oversight (Art. 32.7) | https://www.esma.europa.eu/sites/default/files/2024-11/JC-GL-2024-36_Guidelines_on_DORA_oversight_cooperation.pdf |
Commission Delegated Regulation (EU) 2024/1502 on the criteria for the designation of ICT third-party service providers as critical for financial entities (DORA Art. 31.8) | https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401502 |
Commission Delegated Regulation (EU) 2024/1505 on the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid (DORA Art. 43.2) | https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401505 |
In order to provide greater clarity on the supervisory expectations towards the application of DORA and on the timeline for the first designation of the Critical Third-Party ICT service Providers (CTPPs) in 2025, the ESAs published in December 2024 a public statement.
The European Commission has communicated on the further steps towards the implementation of DORA.
On 30 April 2025, the ESAs expect to collect the DORA registers of information from the competent authorities. Financial entities can find all the relevant material to prepare for the reporting of their DORA registers on the EBA's website: see the main page on the register reporting and relevant reporting framework.