sk sk

Digital operational resilience (DORA)

Given the ever-increasing risks of cyber-attacks, the EU is strengthening the IT security of the financial market. As part of this effort, the EU has adopted Regulation 2022/2554 on the Digital Operational Resilience for the Financial Sector (DORA) included in the European Commission’s Digital Package, which was presented in September 2020.

DORA regulation

  • Delivers harmonisation of IT security rules across the financial market;
  • In addition to the financial health of entities, it also focuses attention on their sustainable operations in the event of a critical information and communication technology (ICT) disruption;
  • Addresses five areas of the requirements for digital operational resilience:
    • ICT risk management;
    • Management, classification, reporting of ICT incidents;
    • Digital operational resilience testing;
    • ICT third party service providers’ risk management, including the oversight framework;
    • Information sharing.

DORA regulation will apply from 17 January 2025. Most of the categories of supervised entities are included into scope, with the application of several exceptions and in accordance with the principle of proportionality.

Information on DORA on the websites of the European Supervisory Authorities



The DORA framework consists of the DORA Regulation itself, its implementing regulation (RTS, ITS) and the amending Directive (EU) 2022/2556 of the European Parliament and of the Council.

The implementing regulation, including the accompanying guidelines, are currently under preparation in two batches.

The first batch was submitted by the European Supervisory Authorities to the Commission on 17 January 2024 and includes areas:

  • ICT risk management framework (including simplified risk management framework),
  • Criteria for the classification of ICT incidents;
  • Templates for the register of information (on ICT third party service providers);
  • Policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.

The second batch is to be submitted by the European Supervisory Authorities to the Commission by 17 July 2024 and includes areas:

  • Reporting of major ICT incidents, including templates;
  • Estimation of aggregated costs/losses caused by major ICT incidents;
  • Threat-Led Penetration Testing – TLPT;
  • Specification of sub-contracting of critical or important functions;
  • Cooperation between European Supervisory Authorities and national authorities in the oversight of critical ICT third party service providers;
  • Specification of information on oversight of critical ICT third party service providers.