Executive Summary
The Digital Operational Resilience Act (“DORA”) was published in the Official Journal of the European Union (“EU”) in December 2022, with an application date of January 17, 2025. This new EU legislation is designed to improve the cyber security and operational resilience of firms in the EU financial services sector.
If you would like to read more about the requirements for DORA, you can access the full summary here and the compliance checklist here.
Please contact James Delaney with any questions regarding the regulation or for further information on the DORA working group.
-
James Delaney
Managing Director, Asset Management Regulation
Timeline
AIMA has categorized these requirements as Medium Priority/Medium Impact and they are therefore represented in Mid-Dark Blue in the AIMA Regulatory Horizon scan gantt chart.
DORA compliance date | January 17, 2025 |
ESAs publish second batch of final draft technical standards and guidelines under DORA. This batch consists of four final draft regulatory technical standards (RTS), one set of Implementing Technical Standards (ITS) and two guidelines (see below) | July 17, 2024 |
Three delegated acts pertaining to the first batch of technical standards under DORA are published in the Official Journal of the EU (see below) | June 25, 2024 |
European Commission adopts first batch of delegated acts under DORA (the Council and European Parliament will have three months (extendable by three additional months) to formulate objections (if any). In the event both institutions do not raise any objections, these delegated acts will be published in the Official Journal of the EU and enter into force on the twentieth day following their publication. | February 22, 2024 |
ESAs publish first batch of final draft technical standards under DORA (see below) | January 17, 2024 |
ESAs consult on second batch of DORA policy mandates | December - March 2024 |
ESAs consult on the first batch of DORA policy mandates | June - September 2023 |
ESAs discussion paper on criteria for critical ICT third-party service providers (CTPPs) and determining oversight fees levied on such providers | May 2023 |
Joint ESAs public event on DORA - Technical discussion (slides) | February 6, 2023 |
Regulation effective date | January 23, 2023 |
Directive effective date | January 14, 2023 |
Regulation and Directive publication date | December 14, 2022 |
AIMA submits feedback on the proposals to the European Commission | February 16, 2021 |
ESAs letter to European Commission on the proposals | February 9, 2021 |
Proposed Regulation and Directive published by European Commission | September 24, 2020 |
AIMA submits response to consultation paper | March 19, 2020 |
Consultation paper published by European Commission | December 19, 2019 |
ESAs advice to European Commission on legislation relating to ICT risk management | April 10, 2019 |
What's Required Webinar
In April 2023, AIMA and Kroll held a virtual session for members breaking down the key requirements in the Level 1 text of DORA and providing an insight on sound practices and international standards which may influence the forthcoming Level 2 texts.
Recorded on 05/04/2023
Implementing Measures
“Implementing Measures” include (i) regulatory technical standards (RTS), (ii) implementing technical standards (ITS), and (iii) guidelines developed by ESMA, in each case where expressly mandated in DORA.
DORA includes authorisations for a number of Implementing Measures, each described briefly in the table below.
|
|
Published in OJ / Drafts published |
Article 15 |
25 June 2024 |
|
Article 16(3) |
25 June 2024 |
|
Article 18(3) |
Final RTS on criteria for the classification of ICT-related incidents |
25 June 2024 |
Article 28(9) |
Final ITS to establish the templates for the register of information |
29 November 2024 |
Article 28(10) |
Final RTS to specify the policy on ICT services performed by ICT third-party providers |
25 June 2024 |
Article 20 |
17 July 2024 |
|
Article 11(1) |
17 July 2024 |
|
Article 26(11) |
Final Report on draft RTS specifying elements related to threat-led penetration testing |
17 July 2024 |
Article 30(5) |
Final Report on draft RTS on subcontracting ICT services supporting critical or important functions |
26 July 2024 |
Article 32(7) |
17 July 2024 |
|
Article 41(1) |
17 July 2024 |
|
Article 21 |
Feasibility report on further centralisation of incident reporting through the establishment of a single EU hub for major ICT-related incident reporting |
By 17 January 2025 |