Digital Operational Resilience Act (DORA)

On 27 December 2022, the Digital Operations Resilience Act (DORA) was published in the Official Journal of the EU. This includes a Regulation and a Directive on digital operational resilience for the financial sector. This will apply in full from January 2025.

DORA applies to a wide range of financial entities regulated by the Central Bank of Ireland. For the first time, DORA brings together provisions addressing digital operational risk in the financial sector in a consistent manner in one single legislative act.

Relevant to regulated financial service providers, it introduces targeted rules on:

• Information and Communication Technology (ICT) risk management
• ICT-related incident management, classification and reporting
• Digital operational resilience testing
• Management of ICT third-party risk (including the introduction of an oversight framework for critical ICT third-party service providers)
• Information sharing arrangements.

Regulated financial entities should recognise similarities between a number of key DORA requirements and existing Central Bank guidance in relation to Outsourcing, Operational Resilience and IT & Cybersecurity Risks as well as in existing sectoral guidelines.

Next Steps

The DORA Regulation contains requirements which financial entities will be required to comply with from January 2025, which are further specified in these regulatory and implementing technical standards (RTS and ITS). The European Supervisory Agencies (ESAs), the European Banking Authority the European Insurance and Occupational Pensions Authority and European Securities and Markets Authority, are jointly leading the development of RTS and ITS which are being delivered in two batches (further details provided below). The first three RTS in Batch 1 are now final as they have been adopted by the European Commission (EC).

Batch 1:

The first batch contains the following RTS/ITS:

• RTS on ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework;
• RTS on the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents;
• RTS on the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers;
• ITS on the register of information on contractual arrangements on the use of ICT services provided by ICT third-party service providers (ESA final report version submitted to EC.

Batch 2:

The second batch contains the following RTS, ITS and Guidelines (published as Final Reports and submitted to the EC):

• RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats;
• RTS on the harmonisation of conditions enabling the conduct of the oversight activities;
• RTS specifying the criteria for determining the composition of the joint examination team (JET);
• RTS on threat-led penetration testing (TLPT);
• Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents;
• The elements firms need to determine and assess when permitting subcontracting ICT services supporting critical or important business functions (pending publication of ESAs’ final report).

These new requirements will help in raising digital operational resilience and cooperation of regulatory authorities across the EU. Firms should monitor updates from the ESAs and the Central Bank of Ireland on their respective websites.

Further Reading

• The Regulation and a Directive on digital operational resilience for the financial sector;
• "Implementing DORA - Achieving enhanced digital operational resilience in European financial services" - Remarks by Gerry Cross, Director of Financial Regulation, Policy & Risk;
• Central Bank sets out regulatory and supervisory priorities for 2023;
• The ESAs will continue to publish responses to Joint Q&As on the interpretation and application of DORA on their respective web pages.

Further updates on DORA will be published on the ESAs websites, and future Central Bank of Ireland updates will be posted on the Communications and Publications page of this website.

Updated: 24 July 2024