Digital operational resilience Act
The Digital Operational Resilience Act (DORA) (Regulation 2023/2554) establishes a comprehensive framework on digital operational resilience for EU financial entities. While all financial sector entities will be subject to DORA, ICT third-party providers who provide ICT services to financial entities and are identified as critical (critical third-party providers - CTPPs), will be subject to an EU oversight framework. The DORA oversight framework assigns to the three European Supervisory Authorities - ESAs (i.e. European Banking Authority – EBA , European Securities and Markets Authority - ESMA, European Insurance and Occupational Pension Authority - EIOPA) the role of Lead Overseer, to ensure that CTPPs are adequately monitored on a Pan-European scale, for the risks that they may pose to EU financial sector.
As part of the oversight activities, the EBA, as well the other ESAs designated as Lead Overseer, may request information to CTPPs, conduct off-site investigation and onsite inspection, impose penalties and issue recommendations to CTPPs. The DORA oversight framework also benefits from the cooperation with ENISA (European Network and Information Security Agency); and with other EU competent authorities, which can support the Lead Overseer in the conduct of oversight activities and are responsible follow-up on the recommendations of the Lead Overseer with the financial entities they supervise.
Links
- Operational resilience
- Regulatory Technical Standards on ICT risk management framework and on simplified ICT risk management framework
- Regulatory Technical Standards on criteria for the classification of ICT-related incidents
- Implementing Technical Standards to establish the templates for the register of information
- Regulatory Technical Standards on the policy on ICT services supporting critical or important functions provided by ICT third-party service providers
- Joint Regulatory Technical Standards on the harmonisation of conditions enabling the conduct of the oversight activities
- Joint Regulatory Technical Standards on subcontracting ICT services supporting critical or important functions
- Joint Technical Standards on major incident reporting
- Joint Regulatory Technical Standards specifying elements related to threat led penetration tests
- Discussion paper on two delegated acts specifying further criteria for critical ICT third-party service providers (CTPPs) and determining oversight fees levied on such providers
- ESAs Report on the landscape of ICT third-party providers in the EU
Preparation for DORA application
The European Supervisory Authorities (ESAs) are currently preparing for the application of the Digital Operational Resilience Act (DORA), by focusing on policy implementation, setting up the oversight framework over critical third-party providers and related operational activities.
