Digital Operational Resilience Act (DORA)
On 27 December 2022, the Digital Operational Resilience Act (DORA) was published in the Official Journal of the EU. This includes a Regulation and a Directive on digital operational resilience for the financial sector. This will apply in full from January 2025.
DORA applies to a wide range of financial entities regulated by the Central Bank of Ireland. For the first time, DORA brings together provisions addressing digital operational risk in the financial sector in a consistent manner in one single legislative act.
Relevant to regulated financial service providers, it introduces targeted rules on:
- Information and Communication Technology (ICT) risk management
- ICT-related incident management, classification and reporting
- Digital operational resilience testing
- Management of ICT third-party risk (including the introduction of an oversight framework for critical ICT third-party service providers)
- Information sharing arrangements.
Regulated financial entities should recognise similarities between a number of key DORA requirements and existing Central Bank guidance in relation to Outsourcing, Operational Resilience and IT & Cybersecurity Risks as well as in existing sectoral guidelines.
Next Steps
The DORA Regulation contains requirements which financial entities will be required to comply with from January 2025, which are further specified in these regulatory and implementing technical standards (RTS and ITS). The European Supervisory Agencies (ESAs), the European Banking Authority the European Insurance and Occupational Pensions Authority and European Securities and Markets Authority, are jointly leading the development of RTS and ITS which are being delivered in two batches (further details provided below). The first three RTS in Batch 1 are now final as they have been adopted by the European Commission (EC).
Batch 1:
The first batch contains the following RTS/ITS:
Batch 2:
The second batch contains the following RTS, ITS and Guidelines (published as Final Reports and submitted to the EC):
These new requirements will help in raising digital operational resilience and cooperation of regulatory authorities across the EU. Firms should monitor updates from the ESAs and the Central Bank of Ireland on their respective websites.
Further Reading
Further updates on DORA will be published on the ESAs websites, and future Central Bank of Ireland updates will be posted on the Communications and Publications page of this website.
Updated: 29 July 2024