Public consultation on DORA policy opens
Further steps forward have now been taken towards the implementation of the Digital Operational Resilience Act (DORA), which will apply to the European Union’s financial sector and its ICT providers from 17 January 2025.
As part of the Act, the European Supervisory Authorities (ESAs) were set a mandate to jointly prepare “13 policy instruments” to be submitted in two batches (the first due on 17 January 2024 and the second on 17 June 2024) in order to operationalise the new rules.
Therefore, to meet the January deadline, the ESAs have now launched a public consultation on the first batch of technical standards. This first set of standards includes:
- Regulatory Technical Standards (RTS) on ICT risk management framework and RTS on simplified ICT risk management framework
- RTS on criteria for the classification of ICT-related incidents
- Implementing Technical Standards (ITS) to establish the templates for the register of information
- RTS to specify the policy on ICT services performed by ICT third-party providers.
An outline of the consultation papers related to these standards can be found here.
This first consultation is due to last until 11 September, with the contributions then published afterwards. The consultation process will also include a ‘public hearing’ webinar in July.
The ESAs also published a discussion paper last month following the “European Commission’s request for technical advice on the criteria for critical ICT third-party providers (CTPPs) and the oversight fees to be levied on them.” The deadline for feedback on this paper is 23 June, with the final report due to be established by 30 September 2023. The issue of this technical advice, as well as the results of the above, will be eagerly awaited by those organizations in the EU and beyond, since affected third-party ICT suppliers could effectively be based anywhere in the world.
It is expected that the implementation process for DORA will continue to be closely followed over the next two years, due to its significance to affected organizations and potential influence on any further regional regulations in this area that are yet to be developed. Indeed, the BCI’s Operational Resilience Report 2023 found that DORA was already one of the most adopted regulations when it comes to Operational Resilience, with even some non-regulated entities choosing to follow it for best practice purposes.
More information on the various facets of DORA and how it intends to improve the digital operational resilience of the sector can be found here.
If you are interested in engaging with other members who fall under DORA regulations or would like to make a unified response to any public consultation relating to DORA, please email [email protected] and we will be in touch.
More on
