Topic: Digital operational resilience in financial services dora

On 6 November 2024, the Joint Committee of the European Supervisory Authorities (ESAs) published joint guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities under the Regulation on digital operational resilience for the financial sector (DORA).

On 24 October 2024, the European Commission adopted a Delegated Regulation supplementing the Regulation on digital operational resilience for the financial sector (DORA) with regard to regulatory technical standards (RTS) on harmonisation of conditions enabling the conduct of the oversight activities.

On 15 October 2024, the European Supervisory Authorities (ESAs) issued an opinion regarding the European Commission’s (EC) rejection of the draft Implementing Technical Standards (the Draft ITS) for the register of information under the Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA). DORA requires financial entities to maintain and regularly update a register of information covering all contractual agreements with ICT third-party service providers. This register is crucial for managing third-party ICT risks and will enable the EU competent authorities and ESAs to supervise compliance with DORA and identify critical ICT service providers subject the DORA’s oversight framework. The Draft ITS contains standard templates for this register.

On 15 October 2024, the European Supervisory Authorities (ESAs) issued an Opinion on the European Commission’s (Commission) rejection of the draft Implementing Technical Standard (ITS) on the register of information under the Digital Operational Resilience Act (DORA).

On 13 March 2024, the European Commission adopted:

Commission Delegated Regulation supplementing the Regulation on digital operational resilience for the financial sector (DORA) with regard to regulatory technical standards (RTS) specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents.

On 8 December 2023 the European Supervisory Authorities (ESAs) launched public consultation on a second package of technical standards under Digital Operational Resilience Act (DORA). This includes the following draft regulatory technical standards (RTS), implementing technical standards (ITS) and guidelines.

On 1 December 2023, the Dutch Authority for the Financial Markets (Autoriteit Financiële Markten, the AFM) published its second publication on the Digital Operational Resilience Act (Regulation (EU) 2022/2554, the DORA). The publication focuses on the management of information, communication and technology (ICT) risks for third-party providers and aims to enable in-scope financial institutions to analyse their current readiness with DORA in these areas and assess what further steps they need to take to comply.

On 19 June 2023 the European Supervisory Authorities (ESAs) launched a public consultation on a first batch of regulatory and implementing technical standards (RTS and ITS) under Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA). This covers the draft RTS and ITS that the ESAs are expected to submit to the European Commission by 17 January 2024.

On 26 May 2023, the European Supervisory Authorities (ESAs) published a joint Discussion Paper on criteria for critical ICT third-party service providers and oversight fees. This Discussion Paper follows the request for technical advice that was sent by the European Commission (Commission) to the ESAs in late December 2022.

On 1 March 2023, the Dutch Authority for the Financial Markets (Autoriteit Financiële Markten, the AFM) published the results of an exploratory investigation into IT incident management in the capital markets. The AFM carried out this study in relation to eight trading venue operators and proprietary traders based on a self-assessment and IT incident notifications reported to the AFM.