Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims at strengthening the information and communication technology (ICT) security of financial entities in the remit of the 3 ESAs and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational digital disruption. DORA brings harmonisation of the rules relating to digital operational resilience for the financial sector applying to 21 different types of financial entities, of which 12 are in the remit of ESMA.

Why is DORA needed?

The financial sector is increasingly dependent on information and communication technology (ICT) tools and systems to deliver its financial services, for which they increasingly rely on ICT service providers. This may expose financial entities to potential ICT (third-party) risk because the delivery of their financial services relies on entities who are not directly supervised nor subject to the same regulatory frameworks (i.e. when the ICT service providers are not financial entities themselves).

When not managed properly, ICT risks can lead to disruptions of financial service delivery. This can have an impact on other financial entities, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector. 

primary_grey_background
ICT risk management
ICT risk management

A framework setting principles and requirements on ICT risk management.

white_background
ICT third-party risk management
ICT third-party risk management

Mitigation of ICT third-party risk; Key contractual provisions.

white_background
Digital operational resilience testing
Digital operational resilience testing

Operational resilience testing programme encompassing a range of tests, including advanced testing.

white_background
ICT-related incidents
ICT-related incidents

Management of ICT-related incidents, and notification of major ones and of significant cyber threats to competent authorities.

white_background
Information sharing
Information sharing

Exchange of information and intelligence on cyber threats.

white_background
Oversight of critical third-party providers
Oversight of critical third-party providers

Oversight framework for ICT third-party providers that are designated as critical by the ESAs for the financial sector.

white_background

What are we working on?

(Work being carried out with the ESAs)

ICT risk framework
(Chapter II)
ICT related incident management classification and reporting
(Chapter III)
Digital Operational Resilience Testing
(Chapter IV)
Third-party risk management
(Chapter V.I)
Oversight framework
(Chapter V.II)
  • RTS on ICT risk management framework (Art. 15)
     
  • RTS on simplified ICT risk management framework (Art. 16)
     
  • Guidelines on the estimation of aggregated annual costs/losses caused by major ICT incidents (Art. 11.12)
  • RTS on criteria for the classification of ICT-related incidents (Art. 18.3)
     
  • RTS on specifying the reporting of major ICT-related incidents (Art. 20.a)
     
  • ITS to establish the reporting details for major ICT-related incidents (Art. 20.b)
     
  • Feasibility report for establishing a single EU Hub for major ICT-related events (Art. 21)
  • RTS to specify threat led penetration testing aspects (Art. 26.11)  
  • ITS to establish the templates for the Register of information (Art. 29.9)
     
  • RTS to specify the policy on ICT services (Art. 29.10)
     
  • RTS to specify elements when sub-contracting critical or important functions (Art. 30.5)
  • Call for advice on criticality criteria (Art. 31.8)
     
  • Guidelines on cooperation between ESAs and CAs regarding the structure of the oversight (Art. 32.7)
     
  • RTS to specify information on oversight conduct (Art. 41)
white_background
primary_grey_background
primary_grey_background
white_background

To help financial entities be ready with the preparation and submission of the DORA registers of information on their ICT third party service providers, the ESAs and competent authorities will carry out a dry run exercise on a best-efforts basis in 2024. Further details are available here and on the EBA’s website.

primary_grey_background

In order to provide greater clarity on the supervisory expectations towards the application of DORA and on the timeline for the first designation of the Critical Third-Party ICT service Providers (CTPPs) in 2025, the ESAs published in December 2024 a public statement.

grey_3_background