For further information on any of the issues discussed in this publication please contact the related contact(s) on this page.

The Digital Operational Resilience Act (DORA) creates a harmonised regulatory framework strengthening the information and communication technology (ICT) security of financial entities. DORA entered into force on 16 January 2023 and will apply to in-scope financial services entities from 17 January 2025. For further information, please refer to our previous briefing on the topic available here.

The European Supervisory Authorities1 (the ESAs) have been tasked with developing technical standards implementing the new DORA framework.

On 19 June 2023, the ESAs published the first batch of policy mandates in respect of Articles 15, 16(3), 18(3), 28(9) and 28(10) of DORA. This includes consultation papers in respect of the following standards:

  • Regulatory Technical Standards (RTS) on the ICT risk management framework (Article 15) and RTS on the simplified ICT risk management framework (Article 16(3)), available here.
  • RTS on criteria for the classification of ICT-related incidents (Article 18(3)), available here.
  • Implementing Technical Standards (ITS) to establish the templates for the register of information (Article 28(9)), available here.
  • RTS to specify the policy on ICT services performed by ICT third-party providers (Article 28(10)), available here.

Market participants have been invited to provide their feedback to the draft technical standards by responding to the questions posed in the consultation papers.

The ESAs have also published an Introductory Note providing an overview of the consultation papers, available here.

Next Steps

The public consultation on the first batch of policy mandates remains open until 11 September 2023. The various legal instruments will be finalised by the ESAs and submitted to the European Commission by 17 January 2024.

The public consultation on the second batch of policy mandates (in respect of Articles 11(11), 20a, 20b, 26(11), 30(5), 32(7) and 41 of DORA) is expected by the end of 2023.

Firms within the scope of DORA are encouraged to start preparing for its application by identifying any gaps in their ICT governance and processes and consider which of their service providers are likely to be considered critical. The requirements include (among others) a requirement for the implementation of certain contractual provisions into contracts for the provision of ICT services. Contracts with third-party providers supporting critical or important functions are subject to more comprehensive requirements than those third-party providers supporting other functions.

Footnote

1. The European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.