Date Published 12/04/2023
European Supervisors focus on DORA
The three European Supervisory Authorities in the financial services sector, the EBA, EIOPA and ESMA (together the “ESAs”) held a joint event to conduct technical discussions regarding the Digital Operational Resilience Act (“DORA”) on 6 February 2023. The event was also available online and was well attended by representatives of credit and payment institutions, investment firms, (re)insurance undertakings, ICT third-party service providers and other financial entities and stakeholders. The purpose of DORA is to create a harmonised European regulatory framework concerning the information and communication technology (ICT) security of financial entities.
The purpose of this event was to allow industry participants to engage with the regulators on this impending legislation and raise areas of concern regarding the policies to be developed in the coming years to successfully implement it. Relevant policy mandates include ICT risk management, incident reporting, registers of information and criticality criteria. The cross-sectoral nature of DORA poses unique challenges to its successful implementation. The ESAs emphasised that an open public consultation is envisaged for every policy mandate in order to ensure all interested stakeholders will have scope to provide their written input on each draft mandate.
The event highlights the importance of DORA and ensuring the operational resilience of the financial industry generally. Financial services firms would be advised to familiarise themselves with the pending obligations of DORA in order to begin preparations to ensure related requirements can be met. In the Irish context, ensuring compliance with the issues raised in CP140 – Cross Industry Guidance on Operational Resilience will be an important step in this regard. Both the DORA Regulation (Regulation (EU) 2022/2554) and the DORA Directive (Directive (EU) 2022/2556) will enter into force on 16 January 2023 and will apply from 17 January 2025