Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025.

It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.

DORA brings harmonisation of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers.

Why is DORA needed?

The financial sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyber-attacks or incidents.

When not managed properly, ICT risks can lead to disruptions of financial services offered across borders. This in turn, can have an impact on other companies, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.

This is where the Digital Operational Resilience Act, or DORA, comes into play.

What does it cover?

ICT risk management
Principles and requirements on ICT risk management framework
ICT third-party risk management
Monitoring third-party risk providers
Key contractual provisions
Digital operational resilience testing
Basic and advanced testing
ICT-related incidents
General requirements
Reporting of major ICT-related incidents to competent authorities
Information sharing
Exchange of information and intelligence on cyber threats
Oversight of critical third-party providers
Oversight framework for critical ICT third-party providers

Resources

Implementing act

Implementing and delegated acts in the official journal

Policy products as prepared by the ESAs:

Guidelines:

Guidelines on oversight cooperation

Opinions:

EIOPA Opinion on the scope of DORA in light of the review of the Solvency II framework

Decisions:

ESAs Decision the reporting by competent authorities to the ESAs of information necessary for the designation of critical ICT third-party service providers

Other resources:

Consultations

Timeline for implementing legislative acts

The three European Supervisory Authorities (the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA)), are preparing a set of policy products to enable the application of DORA.

Timeline:

16 January 2023
Entry into force of DORA
17 January 2025
Application of DORA
from 2025
Start of the oversight activities for the ESAs (incl. CTPPs designation)