The Digital Operational Resilience Act (DORA) was introduced on 16 January 2023 and will come into effect starting on 17 January 2025. The act was created to improve the digital operational resilience of entities operating in the EU financial sector and to support important digital operational resilience requirements for all EU financial entities.
DORA is a regulatory framework that covers key areas such as ICT-related incident management and reporting, ICT risk management, digital operational resilience testing, and the management of ICT third-party risk.
Under DORA, the European Supervisory Authorities (EBA, EIOPA and ESMA) will develop 13 policy instruments in two separate batches. The first batch of technical standards, which are subject to the recently-launched public consultation, are to be submitted by 17 January 2024, and they include RTS to specify the policy on ICT services performed by ICT third-party providers, ITS to establish the templates for the register of information, RTS on ICT risk management framework and RTS on simplified ICT risk management framework, and RTS on criteria for the classification of ICT-related incidents.
Those who wish to submit their comments can do so by finding the ‘send your comments’ section on the official consultation page. However, it’s worth noting that there is a deadline for comment submission, namely 11 September 2023. The ESAs will also organise a webinar on 13 July 2023, which will act as a public hearing. Interested stakeholders can register for this webinar until 10 July 2023.
DORA was designed to prevent and reduce cyber threats while making sure that companies can withstand, respond to, and recover from all types of ICT-related disruptions and threats. The framework is a part of the European Commission’s digital finance package, which was adopted on 24 September 2020, which also includes the proposals for the regulations on markets in crypto-assets (MiCA) and the pilot regime for market infrastructures based on distributed ledger technology.
DORA applies to a wide range of financial entities, including credit institutions, crowdfunding service providers, payment institutions, electronic money institutions, account information service providers, crypto-asset service providers authorised under the MiCA regulation, central securities depositories, insurance intermediaries, credit rating agencies, and third-party ICT service providers such as cloud platforms and data analytics providers.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now