Topic: Digital operational resilience in financial services dora

On 4 December 2024, the European Supervisory Authorities (ESAs) issued a statement on the application of the Digital Operational Resilience Act (DORA).

On 2 December 2024, there was published in the Official Journal of the EU Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of the Regulation on digital operational resilience for the financial sector (DORA) with regard to standard templates for the register of information. The Implementing Regulation enters into force on the twentieth day following that of its publication in the Official Journal of the European Union (22 December 2024).

On 15 November 2024, the European Supervisory Authorities issued a Decision on the information that Member State competent authorities (NCAs) must report to them for the designation of critical ICT third-party service providers under the Digital Operational Resilience Act (DORA).

On 6 November 2024, the Joint Committee of the European Supervisory Authorities (ESAs) published joint guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities under the Regulation on digital operational resilience for the financial sector (DORA).

On 24 October 2024, the European Commission adopted a Delegated Regulation supplementing the Regulation on digital operational resilience for the financial sector (DORA) with regard to regulatory technical standards (RTS) on harmonisation of conditions enabling the conduct of the oversight activities.

On 15 October 2024, the European Supervisory Authorities (ESAs) issued an opinion regarding the European Commission’s (EC) rejection of the draft Implementing Technical Standards (the Draft ITS) for the register of information under the Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA). DORA requires financial entities to maintain and regularly update a register of information covering all contractual agreements with ICT third-party service providers. This register is crucial for managing third-party ICT risks and will enable the EU competent authorities and ESAs to supervise compliance with DORA and identify critical ICT service providers subject the DORA’s oversight framework. The Draft ITS contains standard templates for this register.

On 15 October 2024, the European Supervisory Authorities (ESAs) issued an Opinion on the European Commission’s (Commission) rejection of the draft Implementing Technical Standard (ITS) on the register of information under the Digital Operational Resilience Act (DORA).

On 13 March 2024, the European Commission adopted:

Commission Delegated Regulation supplementing the Regulation on digital operational resilience for the financial sector (DORA) with regard to regulatory technical standards (RTS) specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents.

On 8 December 2023 the European Supervisory Authorities (ESAs) launched public consultation on a second package of technical standards under Digital Operational Resilience Act (DORA). This includes the following draft regulatory technical standards (RTS), implementing technical standards (ITS) and guidelines.

On 1 December 2023, the Dutch Authority for the Financial Markets (Autoriteit Financiële Markten, the AFM) published its second publication on the Digital Operational Resilience Act (Regulation (EU) 2022/2554, the DORA). The publication focuses on the management of information, communication and technology (ICT) risks for third-party providers and aims to enable in-scope financial institutions to analyse their current readiness with DORA in these areas and assess what further steps they need to take to comply.