-
NBS Tasks
Browse topics
- Monetary policy
- Financial market supervision
- Financial stability
- Banknotes and coins
- Payments
- Statistics
- Research
- Legislation
-
Publications
- Activity Report of the NBS Innovation Hub Annual Report Economic and Monetary Developments Financial Stability Report Investment Policy Statement of the National Bank of Slovakia Macroprudential Commentary Policy Briefs
- Report on the Activities of the Financial Market Supervision Unit Research Papers: Working and Occasional Papers (WP/OP) Statistical Bulletin Structural Challenges Other publications Sign up for your email notifications about publications
- About the Bank
- Media
- Frequently asked questions
-
For the public
Browse topics
- About the Bank
- Exchange rates and interest rates
- Banknotes and coins
- Payments
- Financial stability
- Financial market supervision
- Statistics
- Legislation
-
Publications
- Activity Report of the NBS Innovation Hub Annual Report Economic and Monetary Developments Financial Stability Report Macroprudential Commentary
- Report on the Activities of the Financial Market Supervision Unit Statistical Bulletin Other publications Sign up for your email notifications about publications
- Frequently asked questions
- Media
- Careers
- Contact
Digital operational resilience (DORA)
Given the ever-increasing risks of cyber-attacks, the EU is strengthening the IT security of the financial market. As part of this effort, the EU has adopted Regulation 2022/2554 on the Digital Operational Resilience for the Financial Sector (DORA) included in the European Commission’s Digital Package, which was presented in September 2020.
DORA regulation
- Delivers harmonisation of IT security rules across the financial market;
- In addition to the financial health of entities, it also focuses attention on their sustainable operations in the event of a critical information and communication technology (ICT) disruption;
- Addresses five areas of the requirements for digital operational resilience:
- ICT risk management;
- Management, classification, reporting of ICT incidents;
- Digital operational resilience testing;
- ICT third party service providers’ risk management, including the oversight framework;
- Information sharing.
DORA regulation will apply from 17 January 2025. Most of the categories of supervised entities are included into scope, with the application of several exceptions and in accordance with the principle of proportionality.
Information on DORA on the websites of the European Supervisory Authorities
News
- 30.4.2024 Joint EBA, ESMA, EIOPA public event on voluntary dry-run on collection of registers of information
- 25.4.2024 Deadline for workshop registration held on 30.4.2024
- 18.4.2024 Launch of public consultation on the draft RTS on JET (Joint Examination Teams) by EBA, ESMA a EIOPA
- 4.3.2024 Closing of the public consultation on the second batch of implementing regulation
- 23.1.2024 Public hearing on the second batch of implementing regulation
- 17.1.2024 Publication of the first batch of the final drafts of implementing regulation on the websites of EBA, ESMA and EIOPA
- 8.12.2023 Launch of public consultation on the second batch of implementing regulation
- 3.10.2023 Conference Slovak Financial Market and Innovations 2023
- 11.9.2023 Closing of the public consultation on the first batch of implementing regulation
- 13.7.2023 Public hearing on the first batch of implementing regulation
- 19.6.2023 Launch of public consultation on the first batch of implementing regulation
Legislation
The DORA framework consists of the DORA Regulation itself, its implementing regulation (RTS, ITS) and the amending Directive (EU) 2022/2556 of the European Parliament and of the Council.
The implementing regulation, including the accompanying guidelines, are currently under preparation in two batches.
The first batch was submitted by the European Supervisory Authorities to the Commission on 17 January 2024 and includes areas:
- ICT risk management framework (including simplified risk management framework),
- Criteria for the classification of ICT incidents;
- Templates for the register of information (on ICT third party service providers);
- Policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.
The second batch is to be submitted by the European Supervisory Authorities to the Commission by 17 July 2024 and includes areas:
- Reporting of major ICT incidents, including templates;
- Estimation of aggregated costs/losses caused by major ICT incidents;
- Threat-Led Penetration Testing – TLPT;
- Specification of sub-contracting of critical or important functions;
- Cooperation between European Supervisory Authorities and national authorities in the oversight of critical ICT third party service providers;
- Specification of information on oversight of critical ICT third party service providers.