Implementing the DORA regulation: are you ready for the next step?

by Maria Luisa Renzi - Data Protection Consultant
| minute read

With the adoption of the Digital Operational Resilience Act (DORA), the Council of the EU wants to make sure the European financial sector can remain resilient in the event of a severe operational disruption. The DORA regulation came into force on January 17, 2023, with a two-year implementation window. It’s time to take stock of what has already been achieved and what’s coming down the proverbial pipeline.

Regulation (EU) 2022/2554, better known as the DORA regulation, is the legislative act that provides new and uniform requirements concerning the security of network and information systems within financial entities such as banks, insurance companies, investment firms, and other companies that provide financial services in Europe. The legislative framework, purposes, and impact of this new regulation have already been highlighted in a previous Sopra Steria blog post about DORA.

Policy instruments

We are now in the two-year implementation period for impacted financial organisations, such as the ones mentioned above. In that context, it’s important to underline that the DORA regulation is not exhaustive. It requires the adoption of ancillary instruments, the drafting of which is entrusted to the European Supervisory Authorities (ESAs). These include the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA).

  • Regulatory technical standards (RTS)
  • Implementing technical standards (ITS)

These technical standards aim to ensure a consistent, coherent, and harmonised legal framework in the areas of ICT risk management, major or serious ICT-related incident reporting, and third-party ICT risk management. Further details and components are provided to financial entities to establish standard forms, templates, ICT security policies, procedures, protocols, and tools to ensure cybersecurity resilience and report significant cyberthreats to the relevant authorities.

First batch for consultation

Specifically, the regulation has mandated the ESAs to develop a total of 13 policy instruments in two batches: the first one includes 3 draft regulatory technical standards (RTS) and one draft implementing technical standard (ITS). Each batch of technical standards will be subject to an open consultation period to gather feedback from the various stakeholders, at the end of which the policy instruments will be sent to the European Commission (the “Commission”) for adoption.

The instruments these ESAs are mandated to draft — in order to provide clarification and operational guidance on the specific requirements of the regulation — can be divided into two categories: 

A public consultation for the first batch of technical standards was launched on June 19. It will close on September 11, 2023. The ESAs will then submit these drafts of RTS and ITS to the Commission by January 17, 2024.

Here’s a quick overview of the first batch of standards:

Don’t hesitate to contact me or my colleagues for more details about this first batch of technical standards. As data protection experts, we can help you proactively assess the potential impact of these new requirements and develop a realistic, achievable implementation plan. Remember, you have less than two years to get this right!