Digital operational resilience Act

The Digital Operational Resilience Act (DORA) (Regulation 2023/2554) establishes a comprehensive framework on digital operational resilience for EU financial entities. While all financial sector entities will be subject to DORA, ICT third-party providers who provide ICT services to financial entities and are identified as critical (critical third-party providers - CTPPs), will be subject to an EU oversight framework. The DORA oversight framework assigns to the three European Supervisory Authorities - ESAs (i.e. European Banking Authority – EBA , European Securities and Markets Authority - ESMA, European Insurance and Occupational Pension Authority - EIOPA) the role of Lead Overseer, to ensure that CTPPs are adequately monitored on a Pan-European scale, for the risks that they may pose to EU financial sector.

As part of the oversight activities, the EBA, as well the other ESAs designated as Lead Overseer, may request information to CTPPs, conduct off-site investigation and onsite inspection, impose penalties and issue recommendations to CTPPs.  The DORA oversight framework also benefits from the cooperation with ENISA (European Network and Information Security Agency); and with other EU competent authorities, which can support the Lead Overseer in the conduct of oversight activities and are responsible follow-up on the recommendations of the Lead Overseer with the financial entities they supervise.