Operational resilience

Operational resilience is defined as the ability of an institution to deliver critical operations through disruption. This builds on the prudential operational risk framework, encompassing internal governance, outsourcing, business continuity and relevant risk management-related aspects. Such ability enables an institution to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events in order to minimise their impact on the delivery of critical operations through disruption. EU legislation on digital operational resilience for the financial sector (DORA) sets targeted rules for institutions on ICT risk-management capabilities, incident reporting, digital operational resilience testing and ICT third-party risk monitoring. The ESAs are delivering a number of policy products, in the areas of ICT risk management, major ICT-related incident reporting, testing, monitoring of ICT third-party risk, aiming to ensure the consistent harmonisation of the DORA requirements.

Documents

Request for advice to the ESAs regarding designation criteria and fees for the DORA oversight framework

Links

Technical Standards, Guidelines & Recommendations

Technical standards

Guidelines

Opinions, Reports and other Publications

Reports

Other publications

29 September 2023

Joint-ESAs’ response to the Call for advice on the designation criteria and fees for the DORA oversight framework.pdf

Joint-ESAs’ response to the Call for advice on the designation criteria and fees for the DORA oversight framework

Download document View press release

Organisation and governance

Legal and policy framework

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Operational resilience

Technical Standards, Guidelines & Recommendations

Technical standards

Implementing Technical Standards to establish the templates for the register of information

Regulatory Technical Standards on the policy on ICT services supporting critical or important functions provided by ICT third-party service providers

Regulatory Technical Standards on criteria for the classification of ICT-related incidents

Regulatory Technical Standards on ICT risk management framework and on simplified ICT risk management framework

Joint Regulatory Technical Standards specifying elements related to threat led penetration tests

Joint Technical Standards on major incident reporting

Joint Regulatory Technical Standards on subcontracting ICT services supporting critical or important functions

Joint Regulatory Technical Standards on the harmonisation of conditions enabling the conduct of the oversight activities

ESAs Joint Committee Technical standards under the Digital Operational Resilience Act (DORA)

Regulatory Technical Standards on resolution planning

Guidelines

Joint Guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities

Joint Guidelines on estimation of aggregated annual costs and losses caused by major ICT-related incidents

Guidelines on common procedures and methodologies for the supervisory review and evaluation process (SREP)

Guidelines for institutions and resolution authorities on improving resolvability

Guidelines on internal governance for investment firms

Guidelines on internal governance (second revision)

Guidelines on outsourcing arrangements

Guidelines on ICT and security risk management

Guidelines on ICT Risk Assessment under the SREP

Guidelines on necessary services

Opinions, Reports and other Publications

Reports

ESA 2023 22 - ESAs report on the landscape of ICT TPPs.pdf

Other publications

Joint-ESAs’ response to the Call for advice on the designation criteria and fees for the DORA oversight framework.pdf