Digital operational resilience Act

The Digital Operational Resilience Act (DORA) (Regulation 2023/2554) establishes a comprehensive framework on digital operational resilience for EU financial entities. While all financial sector entities will be subject to DORA, ICT third-party providers who provide ICT services to financial entities and are identified as critical (critical third-party providers - CTPPs), will be subject to an EU oversight framework. The DORA oversight framework assigns to the three European Supervisory Authorities - ESAs (i.e. European Banking Authority – EBA , European Securities and Markets Authority - ESMA, European Insurance and Occupational Pension Authority - EIOPA) the role of Lead Overseer, to ensure that CTPPs are adequately monitored on a Pan-European scale, for the risks that they may pose to EU financial sector.

As part of the oversight activities, the EBA, as well the other ESAs designated as Lead Overseer, may request information to CTPPs, conduct off-site investigation and onsite inspection, impose penalties and issue recommendations to CTPPs.  The DORA oversight framework also benefits from the cooperation with ENISA (European Network and Information Security Agency); and with other EU competent authorities, which can support the Lead Overseer in the conduct of oversight activities and are responsible follow-up on the recommendations of the Lead Overseer with the financial entities they supervise. 

DORA mandates
Regulatory products and reports under the DORA mandate


Preparation for DORA application

The European Supervisory Authorities (ESAs) are currently preparing for the application of the Digital Operational Resilience Act (DORA), by focusing on policy implementation, setting up the oversight framework over critical third-party providers and related operational activities.

Find out more
preparation for dora implementation