EU Authorities Consult On First Batch Of DORA Policies

June 21, 2023
<
Back
The European Supervisory Authorities (ESAs) have launched a public consultation on the first round of policy products under the Digital Operational Resilience Act (DORA).

The European Supervisory Authorities (ESAs) have launched a public consultation on the first round of policy products under the Digital Operational Resilience Act (DORA).

The announcement was made by the European Banking Authority (EBA), European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA).

The consultation, which will run until September 11, consists of four draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS).

The regulatory technical standards are:

  • RTS on information and communications technology (ICT) risk management framework and RTS on simplified ICT risk management framework.
  • RTS on criteria for the classification of ICT-related incidents.
  • ITS to establish the templates for the register of information.
  • RTS to specify the policy on ICT services performed by ICT third-party providers.

These technical standards aim to ensure a consistent and harmonised legal framework in the areas of ICT risk management, major ICT-related incident reporting and ICT third-party risk management.

DORA, which entered into force on 16 January, 2023, and will apply from 17, January 2025, has the aim of enhancing the digital operational resilience of entities across the EU financial sector and to further harmonise key digital operational resilience requirements for all EU financial entities.

This regulatory framework covers key areas such as ICT risk management, ICT-related incident management and reporting, digital operational resilience testing and the management of ICT third-party risk.

What’s more, it applies to practically everyone in the payments industry and beyond that as well.

Worryingly for the industry, recent reporting by VIXIO found that payment service providers (PSPs) may not be paying enough attention to the regulation.

Once enforced, the regulation will mean increased compliance requirements for firms that outsource ICT. For example, these firms may need to rewrite contracts with third party providers to factor in the requirements set out by the regulation.

Within DORA, the ESAs have been mandated to jointly develop altogether 13 policy instruments in two batches.

They must finalise and submit the first batch of technical standards to the European Commission by January 17, 2024.

Consultation on the second batch of policy products is due to begin in either November or December this year, for submission to the European Commission by July 2024.

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

To read more articles like this, along with gaining access to the tools that will help you navigate compliance risk with confidence, request a demo of our RegTech platform today.

Related articles

March 21, 2025

Singapore Issues Multi-Agency Advisory On AI, Deepfake Scams

Authorities in Singapore have urged firms to introduce technology-based solutions to prevent the spread of AI-generated deepfake content that may be used to scam their employees.
Read article
March 21, 2025

Week In Crypto: Ripple Welcomes ‘Long Overdue’ Victory Over US SEC

Ripple Labs has become the latest crypto defendant to benefit from a Trump-era U-turn on the application of federal securities laws to crypto-assets.
Read article

Opt in to hear about webinars, events, industry and product news

Gambling Compliance

Learn more

Payments Compliance

Learn more
Still can’t find what you’re looking for? Get in touch to speak to a member of our team, and we’ll do our best to answer.
Contact us
No items found.
No items found.
European Union

Please choose your preferred
service to log in to.

GamblingCompliance
PaymentsCompliance
Don’t have an account?