This brochure contains:
The Digital Operational Resilience Act ("DORA") (i.e. Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011) together with:
- Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities;
- Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid;
- Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents;
- Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers;
- Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
(the "Commission Delegated Regulations");
- Draft Implementing Technical Standards from the Final Report on Draft Implementing Technical Standards on the standard templates for the purposes of the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers under Article 28(9) of Regulation (EU) 2022/2554 (JC 2023 85 – published on 10 January 2024);
- RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyberthreats;
- RTS on subcontracting of critical or important functions (The ESAs indicated in their press release of 17 July 2024 that these RTS will be published in due course);
- RTS on the harmonisation of conditions enabling the conduct of the oversight activities;
- RTS specifying the criteria for determining the composition of the joint examination team (JET);
- RTS on threat-led penetration testing (TLPT)
(the "DORA RTS/ITS");
- Guidelines on aggregated costs and losses from major incidents;
- Guidelines on oversight cooperation between ESAs and competent authorities (Article32(7) of DORA)
(the "DORA GL").
Please note that DORA, the Commission Delegated Regulations, the DORA RTS/ITS and the DORA GL will enter into force from 17 January 2025.
By using the electronic version, you will have a direct access to the relevant Articles of DORA, the Commission Delegated Regulations, the DORA RTS/ITS and the DORA GL.
To view the full article, click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.