Skip to main content
Logo Logo
English
European Insurance and Occupational Pensions Authority

Digital Operational Resilience Act (DORA)

AdobeStock_265258002

The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025.

It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.

DORA brings harmonisation of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers.

Why is DORA needed?

The financial sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyber-attacks or incidents.

When not managed properly, ICT risks can lead to disruptions of financial services offered across borders. This in turn, can have an impact on other companies, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.

This is where the Digital Operational Resilience Act, or DORA, comes into play.

    What does it cover?

    ICT risk management

    Principles and requirements on ICT risk management framework

    ICT third-party risk management

    Monitoring third-party risk providers

    Key contractual provisions

    Digital operational resilience testing

    Basic and advanced testing

    ICT-related incidents

    General requirements

    Reporting of major ICT-related incidents to competent authorities

    Information sharing

    Exchange of information and intelligence on cyber threats

    Oversight of critical third-party providers

    Oversight framework for critical ICT third-party providers

    Timeline for implementing legislative acts

    The three European Supervisory Authorities (the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA)), are preparing a set of policy products to enable the application of DORA.

    Timeline:

    1. 16 January 2023

      Entry into force of DORA

    2. 26 May – 23 June 2023

      Public consultation on the call for advice on criticality criteria and fees

    3. 19 June – 11 Sept 2023

      Public consultation on the first batch of policy products (art. 15, 16(3), 18(3), 28(9) and 28(10) DORA)

      Results - Public Consultation on the first batch of DORA policy mandates

    4. 30 September 2023

      Call for advice on criticality criteria and fees

    5. 8 Dec 2023 - 4 Mar 2024

      Public consultation on the second batch of policy products (Art. 11(11), 20a, 20b, 26(11), 30(5), 32(7) and 41 DORA)

      Joint Feedback from ESAs' stakeholder groups on the second batch of DORA policy products

      Results - Public Consultation on the second batch of DORA policy mandates

    6. 17 January 2024

      Delivery of First batch of policy products

    7. 17 July 2024

      Delivery of the second batch of policy products

    8. 17 January 2025

      Application of DORA

    9. from 2025

      Start of the oversight activities for the ESAs (incl. CTPPs designation)

    Related content