In view of the increasing risks with respect to information and communication technology (ICT) and the growth in digitalisation and interconnectedness, the Digital Operational Resilience Act (DORA) was established to further strengthen the digital operational resilience in the EU financial sector by introducing a common legal framework, i.e., Level 1 text, which will enter into application on 17 January 2025. The six main pillars of DORA are as follows:
DORA mandates the European Supervisory Authorities (ESAs) and the Commission to develop a number of regulatory products and reports, i.e. Level 2 and Level 3 texts.
Level | Legislation (or equivalent) | Linked to |
---|---|---|
1 | DORA Regulation (EU) 2022/2554 | n/a |
2 | CDR on ICT risk management framework | Art. 15 |
2 | CDR on the classification of ICT-related incidents and cyber threats | Art. 18(3) |
2 | Final Draft RTS and ITS on content, timelines and templates on ICT-related incident reporting | Art. 20 |
2 | Final Draft RTS on threat-led penetration testing | Art. 26(11) |
2 | CDR on the policy on ICT contractual arrangements supporting ‘CoI‘ functions | Art. 28(10) |
2 | Final Draft RTS on subcontracting of ‘CoI’ functions | Art. 30(5) |
2 | CIR on the register of information | Art. 28(9) |
3 | Guidelines on aggregated costs and losses from major ICT-related incidents | Art. 11(1) |
In addition, DORA mandates the ESAs and the Commission to develop regulatory products and reports concerning critical ICT third-party service providers and their oversight (not covered here).