home
My favourites

About

About the Digital Operational Resilience Act (DORA)

Full name: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011

 

Type: Regulation

 

Objective and key elements:

  • Increasing operational resilience and cyber security within the financial sector
  • A possibility to form information sharing arrangements between financial entities
  • Introducing binding rules for ICT risk management, incident reporting, resilience testing and third-party risk management (TPRM)
  • Allowing FS supervisors to oversee Critical ICT Third-Party Providers (CTPPs) including Cloud Service Providers (CSPs)
  • Detailed requirements on content of agreements with third party providers

 

Relevant to: Traditionally regulated entities within the financial sector, such as banks, fintech and newer Fintech-entities such as crypto, but also third-party suppliers of such entities

Status: In force, will apply from 17 January 2025.

Next steps:

  • The draft technical standards are expected to be provided to the  EU Commission by 17 January 2024 (in some cases the 17 June 2024) (please see below for more information)
  • Local law implementation in respect of enforcement: Member States to notify any laws, regulations and administrative provisions related to enforcement, including any relevant criminal law provisions, to the Commission, ESMA, the EBA and EIOPA by 17 January 2025.
  • Sweden specific:  The Swedish FSA has published a report with an action plan for the monitoring of financial entities use of outsourcing in which DORA is briefly mentioned (in Swedish). Read more.

Technical standards:

The European Supervisory Authorities (European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority) will develop technical standards that will supplement and specify the rules of DORA. From a regulatory perspective, technical standards is essentially complementary regulation, which specifies in more detail the requirements under specific articles in DORA.

Public consultation for the first batch  opened on 16 June 2023 and are open until 11 September this year. Read more.

You can find the ESA's consultation drafts in the links below:

  • Draft regulatory technical standards setting out detailed requirements on ICT Risk Management Framework (Articles 15-16 in DORA) is available here.
  • Draft regulatory technical standards setting out detailed requirements on the classification of ICT-related incidents (Article 18.3 in DORA) is available here.
  • Draft implementing technical standards establishing templates for composing the register of information in relation to all contractual arrangements and use of ICT services (article 28.9 in DORA) is available here.
  • Draft regulatory standards to specify the policy on ICT services performed by ICT third-party providers (Article 28.10 in DORA) is available here.

Relevant local links:

  • Swedish FSA's report on next steps, link

(Last updated 31 October 2023)