Financial Sector

Digital Operational Resilience Act (DORA)

In view of the increasing risks with respect to information and communication technology (ICT) and the growth in digitalisation and interconnectedness, the Digital Operational Resilience Act (DORA) was established to further strengthen the digital operational resilience in the EU financial sector by introducing a common legal framework, i.e., Level 1 text, which will enter into application on 17 January 2025. The six main pillars of DORA are as follows:

Six main pillars of DORA

DORA mandates the European Supervisory Authorities (ESAs) and the Commission to develop a number of regulatory products and reports, i.e. Level 2 and Level 3 texts.

Level Legislation (or equivalent) Linked to
1 DORA Regulation (EU) 2022/2554 n/a
2 CDR on ICT risk management framework Art. 15
2 CDR on the classification of ICT-related incidents and cyber threats Art. 18(3)
2 Final Draft RTS and ITS on content, timelines and templates on ICT-related incident reporting Art. 20
2 Final Draft RTS on threat-led penetration testing Art. 26(11)
2 CDR on the policy on ICT contractual arrangements supporting ‘CoI‘ functions Art. 28(10)
2 Final Draft RTS on subcontracting of ‘CoI’ functions Art. 30(5)
2 CIR on the register of information Art. 28(9)
3 Guidelines on aggregated costs and losses from major ICT-related incidents Art. 11(1)

In addition, DORA mandates the ESAs and the Commission to develop regulatory products and reports concerning critical ICT third-party service providers and their oversight (not covered here).

</div> </section>