Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims at strengthening the information and communication technology (ICT) security of financial entities in the remit of the 3 ESAs and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational digital disruption. DORA brings harmonisation of the rules relating to digital operational resilience for the financial sector applying to 21 different types of financial entities, of which 12 are in the remit of ESMA.
Why is DORA needed?
The financial sector is increasingly dependent on information and communication technology (ICT) tools and systems to deliver its financial services, for which they increasingly rely on ICT service providers. This may expose financial entities to potential ICT (third-party) risk because the delivery of their financial services relies on entities who are not directly supervised nor subject to the same regulatory frameworks (i.e. when the ICT service providers are not financial entities themselves).
When not managed properly, ICT risks can lead to disruptions of financial service delivery. This can have an impact on other financial entities, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.
ICT risk management
A framework setting principles and requirements on ICT risk management.
ICT third-party risk management
Mitigation of ICT third-party risk; Key contractual provisions.
Digital operational resilience testing
Operational resilience testing programme encompassing a range of tests, including advanced testing.
ICT-related incidents
Management of ICT-related incidents, and notification of major ones and of significant cyber threats to competent authorities.
Information sharing
Exchange of information and intelligence on cyber threats.
Oversight of critical third-party providers
Oversight framework for ICT third-party providers that are designated as critical by the ESAs for the financial sector.
What are we working on?
(Work being carried out with the ESAs)
ICT risk framework (Chapter II) |
ICT related incident management classification and reporting (Chapter III) |
Digital Operational Resilience Testing (Chapter IV) |
Third-party risk management (Chapter V.I) |
Oversight framework (Chapter V.II) |
---|---|---|---|---|
|
|
|
|
|
To help financial entities be ready with the preparation and submission of the DORA registers of information on their ICT third party service providers, the ESAs and competent authorities will carry out a dry run exercise on a best-efforts basis in 2024. Further details are available here and on the EBA’s website.
In order to provide greater clarity on the supervisory expectations towards the application of DORA and on the timeline for the first designation of the Critical Third-Party ICT service Providers (CTPPs) in 2025, the ESAs published in December 2024 a public statement.