Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA) (Regulation 2023/2554) establishes a comprehensive framework for digital operational resilience among EU financial entities.
DORA addresses the increasing dependence of the financial sector on information and communication technology (ICT) tools and systems for service delivery. As financial entities rely more on ICT service providers, there is a heightened exposure to potential ICT (third-party) risks, as these providers may not be directly supervised or subject to the same regulatory frameworks.
Mismanagement of ICT risks can lead to disruptions in service delivery, impacting not only financial entities but also sectors and the broader economy. Thus, ensuring digital operational resilience in the financial sector is crucial. The DORA oversight framework assigns the role of Lead Overseer to the three European Supervisory Authorities (ESAs), ensuring adequate monitoring of Critical Third-Party Providers (CTPPs) on a Pan-European scale.
Companies affected by DORA include all financial sector entities within the EU. Additionally, ICT third-party providers offering services to financial entities, categorised as Critical Third-Party Providers (CTPPs), fall under DORA's purview and are subject to EU oversight.
The reporting implementation deadline for DORA is a crucial aspect for affected entities to adhere to, ensuring timely compliance with regulatory requirements. DORA came into force on January 16, 2023, with oversight activities and reporting, including CTPP designation, beginning in 2025.
DORA covers various requirements aimed at enhancing digital operational resilience within the EU financial sector, including oversight, monitoring, and risk management obligations for financial entities and CTPPs. These requirements encompass:
Additional details can be found here (RTS).
Reporting Templates
Reporting templates are integral components of DORA compliance, facilitating the submission of necessary information to regulatory authorities. These templates streamline reporting processes and ensure consistency in data submission across entities subject to DORA.
For example, the EBA requests new cross-sectoral requirements to report registers of information on the use of contractual arrangements with ICT third-party providers, based on the new ITS within DPM 3.5 (applicable from December 31, 2024). Further templates are in progress, especially for the tracking of critical incidents.