Preparation for DORA application

The Digital Operational Resilience Act (DORA) will become applicable on 17 January 2025. From that date all financial entities in its scope will need to have a comprehensive register of their contractual arrangements with ICT third-party service providers available at entity, sub-consolidated and consolidated levels.

The registers will serve for:

financial entities to monitor their ICT third-party risk,
the EU competent authorities to supervise ICT and third-party risk management at the financial entities and
the ESAs to designate the critical ICT third-party service provides (CTPP) which will be subject to an EU-level oversight.

To help financial entities be ready with the preparation and submission of their registers of information from January 2025, the ESAs and competent authorities will carry out a dry run exercise on a best-efforts basis in 2024.

Documents

Factsheet: ‘dry run’ to prepare for DORA

Organisation and governance

Legal and policy framework

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Documents

Links