-
NBS Tasks
Browse topics
- Monetary policy
- Financial market supervision
- Financial stability
- Banknotes and coins
- Payments
- Statistics
- Research
- Legislation
-
Publications
- Activity Report of the NBS Innovation Hub Annual Report Economic and Monetary Developments Financial Stability Report Investment Policy Statement of the National Bank of Slovakia Macroprudential Commentary Policy Briefs
- Report on the Activities of the Financial Market Supervision Unit Research Papers: Working and Occasional Papers (WP/OP) Statistical Bulletin Structural Challenges Other publications Sign up for your email notifications about publications
- About the Bank
- Media
- Frequently asked questions
-
For the public
Browse topics
- About the Bank
- Exchange rates and interest rates
- Banknotes and coins
- Payments
- Financial stability
- Financial market supervision
- Statistics
- Legislation
-
Publications
- Activity Report of the NBS Innovation Hub Annual Report Economic and Monetary Developments Financial Stability Report Macroprudential Commentary
- Report on the Activities of the Financial Market Supervision Unit Research Papers: Working and Occasional Papers (WP/OP) Statistical Bulletin Other publications Sign up for your email notifications about publications
- Frequently asked questions
- Media
- Careers
- Contact
Digital operational resilience (DORA)
Given the ever-increasing risks of cyber-attacks, the EU is strengthening the IT security of the financial market. As part of this effort, the EU has adopted Regulation 2022/2554 on the Digital Operational Resilience for the Financial Sector (DORA) included in the European Commission’s Digital Package, which was presented in September 2020.
DORA regulation
- Delivers harmonisation of IT security rules across the financial market;
- In addition to the financial health of entities, it also focuses attention on their sustainable operations in the event of a critical information and communication technology (ICT) disruption;
- Addresses five areas of the requirements for digital operational resilience:
- ICT risk management;
- Management, classification, reporting of ICT incidents;
- Digital operational resilience testing;
- ICT third party service providers’ risk management, including the oversight framework;
- Information sharing.
DORA regulation will apply from 17 January 2025. Most of the categories of supervised entities are included into scope, with the application of several exceptions and in accordance with the principle of proportionality.
Information on DORA on the websites of the European Supervisory Authorities
News
- 20.12.2024 Publication of the information on reporting of major ICT-related incidents and voluntary notification of significant cyber threats
- 20.12.2024 Publication of the XLSX template for the purposes of the reporting of major ICT-related incidents and for the purposes of the voluntary notification of significant cyber threats
- 11.12.2024 DORA workshop on the second batch of level 2 regulation
- 04.12.2024 Publication of ESAs Statement on DORA application
- 15.11.2024 The ESAs announce timeline to collect information for the designation of critical ICT third-party service providers under the Digital Operational Resilience Act. More information will be shared on online workshop organized 18.12.2024 by ESAs. Interested parties can register by 16 December 2024 at the following link
- 15.10.2024 Publication of EBA, ESMA and EIOPA opinion on the European Commission’s rejection of the draft ITS on the registers of information and proposals for further changes to this ITS
- 17.07.2024 Publication of the second batch of the final drafts of implementing regulation on the websites of EBA, ESMA a EIOPA
- 19.06.2024 DORA workshop on the first batch of level 2 regulation
- 31.05.2024 Publication of templates and tools for voluntary dry-run exercise on the websites of EBA, ESMA and EIOPA
- 30.04.2024 Joint EBA, ESMA, EIOPA public event on voluntary dry-run on collection of registers of information
- 18.04.2024 Launch of public consultation on the draft RTS on JET (Joint Examination Teams) by EBA, ESMA a EIOPA
- 04.03.2024 Closing of the public consultation on the second batch of implementing regulation
- 23.01.2024 Public hearing on the second batch of implementing regulation
- 17.01.2024 Publication of the first batch of the final drafts of implementing regulation on the websites of EBA, ESMA and EIOPA
Legislation
The DORA framework consists of the DORA Regulation itself, its implementing regulation (RTS, ITS) and the amending Directive (EU) 2022/2556 of the European Parliament and of the Council.
The implementing regulation, including the accompanying guidelines, are gradually being prepared and published in two batches.
The first batch was submitted by the European Supervisory Authorities to the Commission on 17 January 2024 and includes areas:
- ICT risk management framework (including simplified risk management framework),
- Criteria for the classification of ICT incidents;
- Templates for the register of information (on ICT third party service providers);
- Policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.
The second batch was submitted by the European Supervisory Authorities to the Commission by 17 July 2024 and includes areas:
- Reporting of major ICT incidents, including templates;
- Estimation of aggregated costs/losses caused by major ICT incidents;
- Threat-Led Penetration Testing – TLPT;
- Specification of sub-contracting of critical or important functions;
- Cooperation between European Supervisory Authorities and national authorities in the oversight of critical ICT third party service providers;
- criteria for determining critical external ICT service providers,
- supervision fees from critical external ICT service providers.
Information on reporting of major ICT-related incidents and voluntary notification of significant cyber threats
From 17.1.2025, financial entities within the scope of the DORA Regulation shall report major ICT-related incidents and may, on a voluntary basis, notify significant cyber threats to the relevant competent authority.
When determining the severity of an ICT-related incident and the significance of a cyber threat, financial entities shall proceed in accordance with the criteria and thresholds set out in Commission Delegated Regulation (EU) 2024/1772. The content and time limits for reports, as well as standard forms, templates and procedures are established in the regulatory technical standards and implementing technical standards (final draft).
Reports according to the following templates are submitted electronically via information system Statistical collection portal in the form of attachment to the report with code „dor_01”:
DORA Incident reporting Template V1.2.xlsx
127.95 kBDORA significant cyber threats Template V1.2.xlsx
65.68 kB