DORA enters next chapter with second batch of policy products
The European Supervisory Authorities (ESAs) kick off a public consultation on the second batch of policy mandates under the Digital Operational Resilience Act (DORA). Enacted on January 16, 2023, DORA is set to be in full swing from January 17, 2025, harmonising operational resilience rules for 21 types of financial entities.
The comprehensive legislation addresses critical aspects like ICT risk management, incident reporting, digital resilience testing, and ICT third-party risk management. This comprehensive package features four draft regulatory technical standards (RTS), one set of draft implementing technical standards (ITS), and two sets of guidelines (GL).
Recognising the surge in ICT usage across financial entities, DORA aims to fortify digital operational resilience to mitigate cyber risks and cross-border disruptions. It brings a unified framework, applicable to diverse financial entities, covering crucial areas such as ICT risk management, incident reporting, and third-party risk management. From a supervisory perspective, DORA boosts awareness of cyber risks and fosters cooperation among competent authorities to effectively manage ICT and cyber risk. From an EU Oversight perspective, DORA introduces a framework to oversee systemic and concentration risks linked to ICT.
There’s a lot to dive into with this update – you can access all of the consultations here, with the introductory note providing an ideal starting point to understand the various issues. DORA is a significant new set of compliance and operational obligations for EU based financial institutions.