Digital Operational Resilience Act (DORA)
On 27 December 2022, the Digital Operations Resilience Act (DORA) was published in the Official Journal of the EU. This includes a Regulation and a Directive on digital operational resilience for the financial sector. This Regulation is now in force and will apply in full from January 2025.
DORA applies to a wide range of financial entities regulated by the Central Bank of Ireland. For the first time, DORA brings together provisions addressing digital operational risk in the financial sector in a consistent manner in one single legislative act.
It introduces targeted rules on:
- Information and Communication Technology (ICT) risk management
- ICT-related incident management, classification and reporting
- Digital operational resilience testing
- Managing of ICT third-party risk (including the introduction of an oversight framework for critical ICT third-party service providers)
Regulated financial entities should recognise similarities between a number of key DORA requirements and existing Central Bank guidance in relation to Outsourcing, Operational Resilience and IT & Cybersecurity Risks as well as in existing sectoral guidelines.
Next Steps
The European Supervisory Agencies (ESAs), the European Banking Authority the European Insurance and Occupational Pensions Authority and European Securities and Markets Authority, are jointly leading the development of technical standards as required by the DORA Regulation. These are progressing in two batches, the ESAs are running public consultations on these from June to September 2023, and from December 2023 to March 2024 respectively. These technical standards will:
Batch 1:
- Further specify required elements of financial entity's risk management framework, and, where applicable, a simplified risk management framework;
- Further specify the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats;
- Further specify outsourcing policy on contractual arrangements with ICT service providers supporting critical or important functions, and to;
- Establish standard templates to be used in the register of information on in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.
Batch 2:
- Establish forms and procedures for financial entities to report a major ICT-related incident and to notify significant cyber threats;
- Specify further elements for financial entities to determine and assess when sub-contracting ICT services supporting critical or important functions;
- Further specify the details of advanced testing of ICT tools, systems and processes based on threat led penetration testing (TLPT) - including criteria to be used to identify those financial entities that are required to perform TLPT, and to;
- Harmonise conditions enabling the conduct of oversight of ICT service providers which are designated as critical.
These technical standards are to be developed by the Joint Committee of the ESAs and are to be provided to the European Commission for adoption in January and July 2024.
Pending the adoption of these technical standards, the DORA Regulation itself already contains a lot of useful information on the requirements which financial entities will be required to comply with from January 2025.
Financial entities should be planning the steps they will need to take between now and January 2025 to ensure that they can comply with this regulation and support the intended benefits of increased harmonisation of digital operational resilience across the European financial system.
Further Reading
Please refer to the relevant ESA web pages for details on the public consultations.
Updated: 12 January 2024