Conference on DORA: key takeaways 

The DORA regulation (2022/2554) establishes uniform requirements for financial institutions with regard to the security of networks and information systems supporting the business processes of financial entities. In particular, for : 

• ICT risk management
• ICT-related incident management
• Digital operational resilience testing
• ICT third-party risk
• Information sharing

The scope is therefore broader than the activities usually covered by the outsourcing arrangements, and financial entities will have to monitor all their ICT arrangements.

The DORA is followed by 15 policy mandates given to ESAs:

• 8 Regulatory Technical Standards (RTS)
• 2 Implementing Technical Standards (ITS)
• 2 guidelines
• 1 feasibility report on the incident reporting hub
• Answers to 2 calls for advice from the European Commission.

RTS and ITS will be open for consultation, and the ABBL together with its members will take part in this advocacy work.

Stay tuned: the ABBL will organise two further events on DORA once the RTS and ITS are finalised to keep its members informed.

DORA entered into force on 17 January 2023 and will apply from 17 January 2025. The CSSF suggests to in-scope institutions to be proactive and to start getting prepared for DORA already now and read the text in conjunction with soon to be published RTS and ITS.