Skip to main content
European Insurance and Occupational Pensions Authority

Digital Operational Resilience Act (DORA)

Why is DORA needed?

The financial sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyber-attacks or incidents.

When not managed properly, ICT risks can lead to disruptions of financial services offered across borders. This in turn, can have an impact on other companies, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.

This is where the Digital Operational Resilience Act, or DORA, comes into play.

What does it cover?

DORA introduces uniform and harmonised governing principles for the management of cyber risks.  This means that the reporting on cyber incidents can be streamlined, and third-party risk supervised.

DORA’s main areas are:

  • ICT risk management
  • ICT incident management and reporting
  • testing of the operational resilience of ICT systems
  • management of ICT third party risks

How does the supervision of risks work within DORA?

From a supervisory perspective, DORA aims at:

  • increasing the awareness of cyber risks and ICT-related incidents faced by financial entities
  • enhancing the cooperation among competent authorities in the financial sector, as well as also among authorities from different sectors and jurisdictions in relation to ICT and cyber risk management.

In practice, the DORA regulation introduces frameworks to oversee risks:

  • a framework to identify systemic and concentration risks caused by the financial sector’s reliance on ICT third-party service providers
  • a framework to ensure that risks posed by critical ICT service providers to financial entities are properly managed

Timeline for implementing legislative acts

The three European Supervisory Authorities (the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA)), are preparing a set of policy products to enable the application of DORA.

Timeline:

  1. 16 January 2023

    Entry into force of DORA

  2. 26 May – 23 June 2023

    Public consultation on the call for advice on criticality criteria and fees

  3. 30 September 2023

    Call for advice on criticality criteria and fees

  4. November/December 2023

    Public consultation on the second batch of policy products (Art. 11(11), 20a, 20b, 26(11), 30(5), 32(7) and 41 DORA)

  5. 17 January 2024

    Delivery of First batch of policy products

  6. 17 July 2024

    Delivery of the second batch of policy products

  7. 17 January 2025

    Application of DORA

  8. from 2025

    Start of the oversight activities for the ESAs (incl. CTPPs designation)

Related content