My favourites

Digital Operational Resilience Act (DORA)

About the Digital Operational Resilience Act (DORA)

Full name: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.

Type: Regulation.

Objective and key elements:

  • Increase operational resilience and cyber security within the financial sector
  • A possibility to form information sharing arrangements between financial entities
  • Introduces binding rules for ICT risk management, incident reporting, resilience testing and third-party risk management (TPRM)
  • Allows FS supervisors to oversee Critical ICT Third Party Providers (CTPPs) including Cloud Service Providers (CSPs)
  • Includes detailed requirements on content of agreements with third party providers

Relevant to: Traditionally regulated entities within the financial sector, such as banks, fintech as well as newer Fintech-entities such as crypto, but also third-party suppliers to such entities.

Status: In force, will apply from 17 January 2025

 

Next steps:

  • The draft technical standards are expected to be provided to the  EU Commission by 17 January 2024 (in some cases the 17 June 2024) (please see below for more information)
  • Local law implementation in respect of enforcement: Member States to notify any laws, regulations and administrative provisions related to enforcement, including any relevant criminal law provisions, to the Commission, ESMA, the EBA and EIOPA by 17 January 2025.
  • Sweden specific:  The Swedish FSA has published a report with an action plan for the monitoring of financial entities use of outsourcing in which DORA is briefly mentioned (in Swedish). Read more.

Technical standards:

The European Supervisory Authorities (European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority) will develop technical standards that will supplement and specify the rules of DORA. From a regulatory perspective, technical standards is essentially complementary regulation, which specifies in more detail the requirements under specific articles in DORA.

Public consultation for the first batch  opened on 16 June 2023 and are open until 11 September this year. Read more.

You can find the ESA's consultation drafts in the links below:

  • Draft regulatory technical standards setting out detailed requirements on ICT Risk Management Framework (Articles 15-16 in DORA) is available here.
  • Draft regulatory technical standards setting out detailed requirements on the classification of ICT-related incidents (Article 18.3 in DORA) is available here.
  • Draft implementing technical standards establishing templates for composing the register of information in relation to all contractual arrangements and use of ICT services (article 28.9 in DORA) is available here.
  • Draft regulatory standards to specify the policy on ICT services performed by ICT third-party providers (Article 28.10 in DORA) is available here.

 

 

(Last updated 6 September 2023)