ESMA - Digital Operational Resilience Act (DORA)
Pagina oficial de ESMA con normas tecnicas, reporting, TLPT y materiales DORA.
- Regulación: DORA
- Emisor: ESMA
- Fuente oficial: https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/digital-operational-resilience-act-dora
This site uses cookies. Visit our cookies policy page or click the link in any footer for more information and to change your preferences.
Accept all cookies Accept only essential cookies
Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims at strengthening the information and communication technology (ICT) security of financial entities in the remit of the 3 ESAs and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational digital disruption. DORA brings harmonisation of the rules relating to digital operational resilience for the financial sector applying to 21 different types of financial entities, of which 12 are in the remit of ESMA.
Why is DORA needed?
The financial sector is increasingly dependent on information and communication technology (ICT) tools and systems to deliver its financial services, for which they increasingly rely on ICT service providers. This may expose financial entities to potential ICT (third-party) risk because the delivery of their financial services relies on entities who are not directly supervised nor subject to the same regulatory frameworks (i.e. when the ICT service providers are not financial entities themselves).
When not managed properly, ICT risks can lead to disruptions of financial service delivery. This can have an impact on other financial entities, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.
primary_grey_background
ICT risk management
A framework setting principles and requirements on ICT risk management.
white_background
ICT third-party risk management
Mitigation of ICT third-party risk; Key contractual provisions.
white_background
Digital operational resilience testing
Operational resilience testing programme encompassing a range of tests, including advanced testing.
white_background
ICT-related incidents
Management of ICT-related incidents, and notification of major ones and of significant cyber threats to competent authorities.
white_background
Information sharing
Exchange of information and intelligence on cyber threats.
white_background
Oversight of critical third-party providers
Oversight framework for ICT third-party providers that are designated as critical by the ESAs for the financial sector.
white_background
Links to DORA Policy requirements
| DORA Level 1: |
|---|
| - Directive (EU) 2022/2556 as regards digital operational resilience for the financial sector: Publication on Official Journal<br>- Regulation (EU) 2022/2554 on digital operational resilience for the financial sector: Published on Official Journal |
| DORA Level 2-3 by topic: |
|---|
| Risk management |
| Commission Delegated Regulation (EU) 2024/1774 with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework (DORA Art. 15 and 16) |
| Commission Delegated Regulation (EU) 2024/1773 with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (DORA Art. 28.10) |
| Commission Implementing Regulation (EU) 2024/2956 with regard to standard templates for the register of information (DORA Art. 28.9) |
| Commission Delegated Regulation (EU) 2025/1190 with regard to regulatory technical standards specifying the criteria used for identifying financial entities required to perform threat-led penetration testing, the requirements and standards governing the use of internal testers, the requirements in relation to the scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition (DORA Art. 26.11) |
| Commission Delegated Regulation (EU) 2025/532 of 24 March 2025 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions (DORA Art. 30.5) |
| Incident reporting |
| Commission Delegated Regulation (EU) 2024/1772 with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents (DORA Art. 18.3) |
| GL on the estimation of aggregated annual costs/losses caused by major ICT incidents (Art 11.12) |
| Commission Delegated Regulation (EU) 2025/301 with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats (DORA Art. 20(a)) |
| Commission Implementing Regulation (EU) 2025/302 laying down implementing technical standards with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat (DORA Art. 20(b)) |
| Oversight framework |
| GL on cooperation between ESAs and CAs regarding the structure of the oversight (Art. 32.7) |
| Commission Delegated Regulation (EU) 2024/1502 on the criteria for the designation of ICT third-party service providers as critical for financial entities (DORA Art. 31.8) |
| Commission Delegated Regulation (EU) 2024/1505 on the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid (DORA Art. 43.2) |
| Commission Delegated Regulation (EU) 2025/295 of 24 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards on harmonisation of conditions enabling the conduct of the oversight activities (DORA Art. 41(a)(b)(d)) |
| Commission Delegated Regulation (EU) 2025/420 of 16 December 2024 with regard to regulatory technical standards to specify the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks and working arrangements (DORA Art. 41(1)(c)) |
white_background
primary_grey_background
primary_grey_background
DORA implementation timeline 🡫
white_background
In order to provide greater clarity on the supervisory expectations towards the application of DORA and on the timeline for the first designation of the Critical Third-Party ICT service Providers (CTPPs) in 2025, the ESAs published in December 2024 a public statement.
The European Commission has communicated on the further steps towards the implementation of DORA.
grey_3_background
On 30 April 2025, the ESAs expect to collect the DORA registers of information from the competent authorities. Financial entities can find all the relevant material to prepare for the reporting of their DORA registers on the EBA's website: see the main page on the register reporting and relevant reporting framework.
primary_grey_background
\
\
DORA Oversight