My favourites

About

About the Digital Operational Resilience Act (DORA)

Full name: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011

 

Type: Regulation

 

Objective and key elements:

  • Increasing operational resilience and cyber security within the financial sector
  • A possibility to form information sharing arrangements between financial entities
  • Introducing binding rules for ICT risk management, incident reporting, resilience testing and third-party risk management (TPRM)
  • Allowing FS supervisors to oversee Critical ICT Third-Party Providers (CTPPs) including Cloud Service Providers (CSPs)
  • Detailed requirements on content of agreements with third party providers

 

Relevant to: Traditionally regulated entities within the financial sector, such as banks, fintech and newer Fintech-entities such as crypto, but also third-party suppliers of such entities

 

Status: In force, will apply from 17 January 2025

Next steps: Local law implementation in respect of enforcement: Member States to notify any laws, regulations and administrative provisions related to enforcement, including any relevant criminal law provisions, to the Commission, ESMA, the EBA, and EIOPA by 17 January 2025

 

Relevant local links:

  • Swedish FSA's report on next steps, link

(Last updated 7 March 2023)