My favourites

Digital Operational Resilience Act (DORA)

About the Digital Operational Resilience Act (DORA)

Full name: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.

Type: Regulation.

Objective and key elements:

  • Increase operational resilience and cyber security within the financial sector
  • A possibility to form information sharing arrangements between financial entities
  • Introduces binding rules for ICT risk management, incident reporting, resilience testing and third-party risk management (TPRM)
  • Allows FS supervisors to oversee Critical ICT Third Party Providers (CTPPs) including Cloud Service Providers (CSPs)
  • Includes detailed requirements on content of agreements with third party providers

Relevant to: Traditionally regulated entities within the financial sector, such as banks, fintech as well as newer Fintech-entities such as crypto, but also third-party suppliers to such entities.

Status: In force, will apply from 17 January 2025
Next steps: Local law implementation in respect of enforcement: Member States to notify any laws, regulations and administrative provisions related to enforcement, including any relevant criminal law provisions, to the Commission, ESMA, the EBA and EIOPA by 17 January 2025.

(Last updated 12 February 2023)