Digital Operational Resilience Act (DORA)

About the Digital Operational Resilience Act (DORA)

Full name: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011

(Link to original text)

Type: Regulation.

Objective and key elements:

Increase operational resilience and cyber security within the financial sector
A possibility to form information sharing arrangements between financial entities
Introduces binding rules for ICT risk management, incident reporting, resilience testing, and third-party risk management (TPRM)
Allows FS supervisors to oversee Critical ICT Third Party Providers (CTPPs) including Cloud Service Providers (CSPs)
Includes detailed requirements on content of agreements with third party providers

Relevant to: Traditionally regulated entities within the financial sector, such as banks, fintech, as well as newer fintech-entities such as crypto, but also third-party suppliers to such entities.

Status: In force, applicable since 17 January 2025.

Next steps:

Draft technical standards are be provided to the EU Commission. First batch of technical standards were adopted on 25 June 2024. Second batch of draft technical standards were published on 17 July 2024 (please see below for more information).

Technical standards:

The European Supervisory Authorities (ESAs) EBA, ESMA, and EIOPA will develop technical standards that will supplement and specify the rules of DORA. From a regulatory perspective, once adopted by the Commission, technical standards are essentially complementary regulation, which specifies in more detail the requirements under specific articles in DORA.

Technical standards adopted by the Commission and in force:

Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents is available here
Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers is available here
Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework is available here

You can find the draft regulatory standards published by the ESAs and submitted to the Commission for review in the links below:

Draft Regulatory Technical Standards specifying elements related to threat led penetration tests under Article 26(11) of Regulation (EU) 2022/2554 is available here
Draft Regulatory Technical Standards on the content of the notification and reports for major incidents and significant cyber threats and determining the time limits for reporting major incidents and Draft Implementing Technical Standards On the standard forms, templates and procedures for financial entities to report a major incident and to notify a significant cyber threat is available here
Draft Regulatory Technical Standards on harmonisation of conditions enabling the conduct of the oversight activities is available here
Draft regulatory technical standard on the harmonisation of conditions enabling the conduct of the oversight activities under Article 41(1)(c) of Regulation (EU) 2022/2554 is available here

Guidance: