On 6th February 2023, the three European Supervisory Authorities (EBA, EIOPA and ESMA) held a joint public technical discussion about the Digital Operational Resilience Act (DORA).
The online event gathered over 2,000 representatives from credit and payment institutions, investment firms, (re)insurance undertakings, ICT third-party service providers, and other financial entities.
The event allowed industry participants to engage with regulators on the new legislation, share their initial views and raise any potential areas of concern regarding the policy mandates the European Supervisory Authorities (ESAs) have to develop over the course of 2023 and 2024.
During the event the ESAs provided a briefing on the DORA development process and timescales, committing to an open public consultation. François-Louis Michaud, Executive Director at the EBA, stated that “an open public consultation is envisaged for every policy mandate where all interested stakeholders will have time to provide their written input on each draft mandate.”
DORA will be built upon five pillars, these being:
ICT risk management
Set of key principles and requirements on ICT risk management framework.
ICT-related incident reporting
Harmonise and streamline reporting and extend reporting obligations to all financial entities.
Digital operational resilience testing
Subject financial entities to basic testing or advanced testing (e.g. TLPTs).
ICT third party risk
Principle-based rules for monitoring third party risk, key contractual provisions and oversight framework for critical ICT TPPs.
Voluntary exchange of information and intelligence on cyber threats.
The presentations given during the event can be accessed below: