Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims at strengthening the information and communication technology (ICT) security of financial entities in the remit of the 3 ESAs and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational digital disruption. DORA brings harmonisation of the rules relating to digital operational resilience for the financial sector applying to 21 different types of financial entities, of which 12 are in the remit of ESMA.

Why is DORA needed?

The financial sector is increasingly dependent on information and communication technology (ICT) tools and systems to deliver its financial services, for which they increasingly rely on ICT service providers. This may expose financial entities to potential ICT (third-party) risk because the delivery of their financial services relies on entities who are not directly supervised nor subject to the same regulatory frameworks (i.e. when the ICT service providers are not financial entities themselves).

When not managed properly, ICT risks can lead to disruptions of financial service delivery. This can have an impact on other financial entities, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector. 

primary_grey_background
ICT risk management
ICT risk management

A framework setting principles and requirements on ICT risk management.

white_background
ICT third-party risk management
ICT third-party risk management

Mitigation of ICT third-party risk; Key contractual provisions.

white_background
Digital operational resilience testing
Digital operational resilience testing

Operational resilience testing programme encompassing a range of tests, including advanced testing.

white_background
ICT-related incidents
ICT-related incidents

Management of ICT-related incidents, and notification of major ones and of significant cyber threats to competent authorities.

white_background
Information sharing
Information sharing

Exchange of information and intelligence on cyber threats.

white_background
Oversight of critical third-party providers
Oversight of critical third-party providers

Oversight framework for ICT third-party providers that are designated as critical by the ESAs for the financial sector.

white_background

Links to DORA Policy requirements

DORA Level 1:
DORA Level 2-3 by topic:
Risk management Publication in Official Journal / ESAs websites
Commission Delegated Regulation (EU) 2024/1774 with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework (DORA Art. 15 and 16) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1774
Commission Delegated Regulation (EU) 2024/1773 with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (DORA Art. 28.10) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1773
Commission Implementing Regulation (EU) 2024/2956 with regard to standard templates for the register of information (DORA Art. 28.9) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202402956
Incident reporting Publication in Official Journal / ESAs websites
Commission Delegated Regulation (EU) 2024/1772 with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents (DORA Art. 18.3) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1772
GL on the estimation of aggregated annual costs/losses caused by major ICT incidents (Art 11.12) https://www.esma.europa.eu/sites/default/files/2024-07/JC_2024-34_-_Final_report_GL_on_costs_and_losses.pdf
Oversight framework Publication in Official Journal / ESAs websites
GL on cooperation between ESAs and CAs regarding the structure of the oversight (Art. 32.7) https://www.esma.europa.eu/sites/default/files/2024-11/JC-GL-2024-36_Guidelines_on_DORA_oversight_cooperation.pdf
Commission Delegated Regulation (EU) 2024/1502 on the criteria for the designation of ICT third-party service providers as critical for financial entities (DORA Art. 31.8) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401502
Commission Delegated Regulation (EU) 2024/1505 on the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid (DORA Art. 43.2) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401505
white_background
primary_grey_background
primary_grey_background
white_background

In order to provide greater clarity on the supervisory expectations towards the application of DORA and on the timeline for the first designation of the Critical Third-Party ICT service Providers (CTPPs) in 2025, the ESAs published in December 2024 a public statement.

The European Commission has communicated on the further steps towards the implementation of DORA.

grey_3_background

On 30 April 2025, the ESAs expect to collect the DORA registers of information from the competent authorities. Financial entities can find all the relevant material to prepare for the reporting of their DORA registers on the EBA's website: see the main page on the register reporting and relevant reporting framework.

primary_grey_background