DORA - Improving digital operational resilience against cyberattacks

Topic area:

Status: 05.06.2024 |

Key words:

IT security / cyber risk, Main version, Hot topic

Official name

REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (COM(2020)0595 – C9-0304/2020 – 2020/0266(COD))

Type

Regulation

Level 1

Initiator

Submitted

19.12.2019

Doc. code

2022/2554

Summary

Status

Get a subscription to have access to the whole content.

Current version

Final version

14.12.2022

Next step

Entry into force

Get a subscription to have access to the whole content.

Application date

Get a subscription to have access to the whole content.

Scope

Relevant for

Get a subscription to have access to the whole content.

Level 1

DORA Directive (binding, Amendment, EU)

Regulation on a framework for Financial Data Access (Open Finance - FIDA) (binding, Main version, Amendment, EU)

Digital operativ motståndskraft för finanssektorn (Digital operational resilience for the financial sector) (binding, Main version, Amendment, SE)

Financial Market Digitization Act - FinmadiG (binding, Main version, Amendment, DE)

DORA Enforcement Act (binding, Main version, Amendment, AT)

Level 2

Implementation decision digital operational resilience financial sector - Uitvoeringsbesluit verordening digitale operationele weerbaarheid (binding, Amendment, NL)

Finansinspektionens regulations on incident reporting and information repositories under the EU Regulation on digital operational resilience for the financial sector (binding, SE)

Finansinspektionens föreslår föreskrifter och allmänna råd om insättningssystem (general guidelines on deposit schemes) (binding, Main version, SE)

Ändringar i Finansinspektionens föreskrifter och allmänna råd om styrning, riskhantering och kontroll i kreditinstitut (Amendments to regulations and general guidelines on governance, risk management and control in credit institutions) (binding, Amendment, SE)

Ändringar i Finansinspektionens föreskrifter och allmänna råd om hantering av operativa risker (Amendments to regulations and general guidelines on operational risk management) (binding, Amendment, SE)

Regulation amending the Credit Institutions Risk Management Regulation (binding, Amendment, AT)

RTS on ICT risk management tools methods processes and policies (DORA package 1) (binding, Supplement, EU)

RTS on criteria for the classification of ICT related incidents (DORA package 1) (binding, Supplement, EU)

ITS on the register of information on the use of ICT third-party services (DORA package 1) (binding, Supplement, EU)

RTS on the policy on the use of ICT third-party services supporting critical or important functions (DORA package 1) (binding, Supplement, EU)

Specification of the criteria for desgnation of ICT third-party service providers as critical for financial entities (binding, Supplement, EU)

Amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers (binding, Supplement, EU)

Guidelines on aggregated costs and losses from major ICT-related incidents (DORA package 2) (binding, Supplement, EU)

RTS on subcontracting of critical or important functions including outsourcing management (DORA package 2) (binding, Supplement, EU)

RTS on oversight harmonisation under DORA (DORA package 2) (binding, Supplement, EU)

Guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities (DORA package 2) (binding, Supplement, EU)

RTS on threat-led penetration testing (TLPT) (DORA package 2) (binding, Supplement, EU)

RTS for the content of notifications and reports on major ICT incidents under DORA (DORA package 2) (binding, Supplement, EU)

ITS on the standard forms, templates and procedures to report major incidents under DORA (DORA package 2) (binding, Supplement, EU)

Level 3 / Other

Digital Finance Package (non-binding, EU)

Criteria for critical ICT third-party service providers and oversight fees under DORA (non-binding, Amendment, EU)

ESAs Report on the landscape of ICT third-party providers (non-binding, EU)

Aufsichtsmitteilung zu Auslagerungen an Cloud-Anbieter Aktualisiert Februar 2024 (binding, DE)

ECB Guide on outsourcing cloud services to cloud service providers (binding, EU)

FMA information letter regarding supervision of crypto asset service providers pursuant to MiCAR (binding, AT)

Procedure for outsourcing reporting obligations and submitting aggregated reports (non-binding, DE)

Finansinspektionens förslag om allmänna råd om rapportering av händelser av väsentlig betydelse (general guidelines on the reporting of events of material significance) (binding, Main version, SE)

EIOPA opinion on the scope of DORA in light of the review of the Solvency II framework (non-binding, EU)

EBA decision on information reporting by critical ICT third-party providers (binding, EU)

Report on operational policy tools for cyber resilience (non-binding, EU)

EBA - FINAL Q&A: DORA - Other DORA topics (binding, Supplement, EU)

Notes on the implementation of DORA in ICT risk management and ICT third-party risk management (non-binding, DE)

ESAs opinion on the rejection of the ITS on the register of information under DORA (non-binding, EU)

Source: EU, 2022/2554, 2022