Digital Operational Resilience Act (DORA)

Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (Digital Operational Resilience Act, DORA) is an EU regulation which entered into force on 16 January 2023 and will apply from 17 January 2025.

DORA is a directly applicable EU legal act which aims to increase the digital operational resilience of the EU financial sector by strengthening the risk management and incident reporting systems of financial entities (such as banks, insurance undertakings, electronic money and payment institutions, investment firms, etc.), information and communication technology (ICT) and third parties.

DORA establishes a regulatory framework for digital operational resilience which requires all undertakings covered by this regulation to ensure the operational capacity to withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are uniformly applied in all EU Member States and define ICT risk, establish rules on ICT risk management, incident reporting, operational resilience testing and ICT third-party risk monitoring. DORA is designed for 20 different types of financial entities and ICT and third-party service providers.

Other information:

[[#ex]]

Regulatory technical standards

• Commission delegated regulation (EU) 2024/1774 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
• Commission delegated regulation (EU) 2024/1773 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
• Commission delegated regulation (EU) 2024/1772 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
• Commission Implementing Regulation (EU) 2024/2956 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the register of information

RTS/ITS

• EIOPA
• EBA
• ESMA

Links to relevant information by EU supervisory authorities

• EIOPA
  • Digital Operational Resilience Act (DORA)
  • Q&A
• EBA
  • Digital Operational Resilience Act (DORA)
  • Q&A
• ESMA
  • Digital Operational Resilience Act (DORA)
  • Q&A

[[#ex]]