Digital Operational Resilience Act (DORA)

On 27 December 2022, the Digital Operations Resilience Act (DORA) was published in the Official Journal of the EU. This includes a Regulation and a Directive on digital operational resilience for the financial sector. This will apply in full from January 2025.

DORA applies to a wide range of financial entities regulated by the Central Bank of Ireland. For the first time, DORA brings together provisions addressing digital operational risk in the financial sector in a consistent manner in one single legislative act.

Relevant to regulated financial service providers, it introduces targeted rules on:

• Information and Communication Technology (ICT) risk management
• ICT-related incident management, classification and reporting
• Digital operational resilience testing
• Managing of ICT third-party risk (including the introduction of an oversight framework for critical ICT third-party service providers)
• Information sharing arrangements.

Regulated financial entities should recognise similarities between a number of key DORA requirements and existing Central Bank guidance in relation to Outsourcing, Operational Resilience and IT & Cybersecurity Risks as well as in existing sectoral guidelines.

Next Steps

The European Supervisory Agencies (ESAs), the European Banking Authority the European Insurance and Occupational Pensions Authority and European Securities and Markets Authority, are jointly leading the development of technical standards as required by the DORA Regulation. These supporting regulatory and implementing technical standards (RTS and ITS) have been developed in two batches, for submission in January and July 2024 to the European Commission, which is empowered to adopt them.

Batch 1:

The first batch contains the following RTS/ITS:

• RTS on ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
• RTS on the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
• RTS on the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
• ITS on the register of information on contractual arrangements on the use of ICT services provided by ICT third-party service providers  

Batch 2:

The second batch contains, inter alia, technical standards on:

• The timing and content for incident reporting,
• The elements firms need to determine and assess when permitting subcontracting ICT services supporting critical or important business functions,
• Threat Led Penetration Testing for those firms that will be nationally designated amongst others based on size, interconnections, critical importance to the financial sector.

The DORA Regulation contains requirements which financial entities will be required to comply with from January 2025, which are further specified in these RTS/ITS.

These new requirements will help in raising digital operational resilience and cooperation of regulatory authorities across the EU. Firms should monitor updates from the ESAs and the Central Bank of Ireland on their respective websites.

Further Reading

• The Regulation and a Directive on digital operational resilience for the financial sector
• "Implementing DORA - Achieving enhanced digital operational resilience in European financial services" - Remarks by Gerry Cross, Director of Financial Regulation, Policy & Risk
• Central Bank sets out regulatory and supervisory priorities for 2023

Further updates on DORA will be published on the ESAs websites, and future CBI updates will be posted on the Communications tab of this website.

Updated: 18 June 2024