DORA

Executive Summary

The Digital Operational Resilience Act (“DORA”) was published in the Official Journal of the European Union (“EU”) in December 2022, with an application date of January 17, 2025. This new EU legislation is designed to improve the cyber security and operational resilience of firms in the EU financial services sector.

If you would like to read more about the requirements for DORA, you can access the full summary here and the compliance checklist here.

Please contact James Delaney with any questions regarding the regulation or for further information on the DORA working group.

James Delaney

Managing Director, Asset Management Regulation

Timeline

AIMA has categorized these requirements as Medium Priority/Medium Impact and they are therefore represented in Mid-Dark Blue in the AIMA Regulatory Horizon scan gantt chart.

Key Dates
DORA compliance date	January 17, 2025
ESAs publish second batch of final draft technical standards and guidelines under DORA. This batch consists of four final draft regulatory technical standards (RTS), one set of Implementing Technical Standards (ITS) and two guidelines (see below)	July 17, 2024
Three delegated acts pertaining to the first batch of technical standards under DORA are published in the Official Journal of the EU (see below)	June 25, 2024
European Commission adopts first batch of delegated acts under DORA (the Council and European Parliament will have three months (extendable by three additional months) to formulate objections (if any). In the event both institutions do not raise any objections, these delegated acts will be published in the Official Journal of the EU and enter into force on the twentieth day following their publication.	February 22, 2024
ESAs publish first batch of final draft technical standards under DORA (see below)	January 17, 2024
ESAs consult on second batch of DORA policy mandates	December - March 2024
ESAs consult on the first batch of DORA policy mandates	June - September 2023
ESAs discussion paper on criteria for critical ICT third-party service providers (CTPPs) and determining oversight fees levied on such providers	May 2023
Joint ESAs public event on DORA - Technical discussion (slides)	February 6, 2023
Regulation effective date	January 23, 2023
Directive effective date	January 14, 2023
Regulation and Directive publication date	December 14, 2022
AIMA submits feedback on the proposals to the European Commission	February 16, 2021
ESAs letter to European Commission on the proposals	February 9, 2021
Proposed Regulation and Directive published by European Commission	September 24, 2020
AIMA submits response to consultation paper	March 19, 2020
Consultation paper published by European Commission	December 19, 2019
ESAs advice to European Commission on legislation relating to ICT risk management	April 10, 2019

What's Required Webinar

In April 2023, AIMA and Kroll held a virtual session for members breaking down the key requirements in the Level 1 text of DORA and providing an insight on sound practices and international standards which may influence the forthcoming Level 2 texts.

Recorded on 05/04/2023

Implementing Measures

“Implementing Measures” include (i) regulatory technical standards (RTS), (ii) implementing technical standards (ITS), and (iii) guidelines developed by ESMA, in each case where expressly mandated in DORA.

DORA includes authorisations for a number of Implementing Measures, each described briefly in the table below.

DORA Article	Description	Published in OJ / Drafts published
Article 15	Final RTS on ICT risk management framework	25 June 2024
Article 16(3)	Final RTS on simplified ICT risk management framework	25 June 2024
Article 18(3)	Final RTS on criteria for the classification of ICT-related incidents	25 June 2024
Article 28(9)	Final ITS to establish the templates for the register of information	29 November 2024
Article 28(10)	Final RTS to specify the policy on ICT services performed by ICT third-party providers	25 June 2024
Article 20	Final report on the draft RTS and ITS on incident reporting	17 July 2024
Article 11(1)	Final Report on Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents	17 July 2024
Article 26(11)	Final Report on draft RTS specifying elements related to threat-led penetration testing	17 July 2024
Article 30(5)	Final Report on draft RTS on subcontracting ICT services supporting critical or important functions	26 July 2024
Article 32(7)	Final Report on Guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities	17 July 2024
Article 41(1)	Final Report on draft RTS on harmonisation of conditions enabling the conduct of the oversight activities	17 July 2024
Article 21	Feasibility report on further centralisation of incident reporting through the establishment of a single EU hub for major ICT-related incident reporting	By 17 January 2025