You are here: 

Digital Operational Resilience Act (DORA)

Overview

Regulation (EU) 2022/2554 on digital operational resilience in the financial sector contains rules for the protection, detection, mitigation and recovery in relation to risks in the field of information and communication technology (ICT) and is applicable from 17 January 2025. The regulation generally applies to all financial market sectors, and therefore to most of the entities in Austria supervised by the FMA. Its objective is to strengthen the resilience of the European financial market against the threat of cyber attacks, and therefore to contribute towards a high level of protection for investors and consumers within the European Union.

The Regulation consolidates, updates and improves the various existing rules dealing with digital risks in the financial sector. With regard to the high level of digitalisation and connectivity in the provision of financial services, this Regulation also intends to take into account that the financial robustness of financial market participants may be increasingly affected by ICT incidents and a lack of operational resilience.

The framework is very ambitious and covers qualitative standards for ICT security of supervised entities and in the handling of ICT-related incidents, as well as standards for centrally controlled resilience tests and a European monitoring programme for critical ICT service providers. This requires new structures in as well as communications intergaces between the many players involved (supervised entities, national and European authorities).

The Pillars of DORA

Graphic showing the four pillars of DORA
Graphic showing the four pillars of DORA

Sectoral guidelines and rules are centralised and harmonised under the heading ICT risk management. The rules in this area are comprehensive and include the following points:

  • ICT risk controlling
  • Technical thematic areas (e.g. Patch management, cryptography, logging, recovery)
  • ICT project management
  • Employment – training and access control
  • Incident and crisis management

The standards for handling ICT -related incidents primarily cover the following obligations for supervised entities:

  • The entity must detect major ICT -related incidents based on a pre-defined catalogue of criteria.
  • A pre-defined brief notification is required to be sent to competent national supervisory authority practically as soon as a major incident is identified.
  • An intermediate report is to be drawn up within a few days and submitted.
  • Lastly, a final report about the incident is to be drawn up using a pre-defined template.
  • National authorities must pass these reports immediately to the European Supervisory Authorities to be able to detect potential cross-border cyber crises.

In order to evaluate the preparedness for the handling of ICT -related incidents and to identify weaknesses in digital operational resilience, supervised entities are required to draw up a comprehensive programme for digital operational resilience testing. A selected number of financial undertakings are also obliged to conduct Threat Led Penetration Tests (TLPTs). These are extended tests conducted on ICT tools, systems and processes, with the testing authority monitoring that they are conducted properly, which are then certified.

  • Threat Intelligence-Based Ethical Red Teaming in Austria: TIBER-AT

Monitoring of ICT service providers occurs using the following scheme:

  • Supervised entities keep a register of their respect outsourced ICT services and submit a notification to their national supervisory authority.
  • This register is then passed onto to the European Supervisory Authorities by the national supervisory authorities.
  • Based on this information, the European Supervisory Authorities identify ICT service providers that are to be classified as critical from a pan-European perspective.
  • A Joint Examination Team (JET) is allocated to every critical service provider, comprising of staff members from the European and national authorities, and using tools like surveys and on-site audits for supervision.

The FMA’s activities

The FMA is accompanying supervised entities in the Austrian financial market in their preparations for DORA and also has various priorities for supervision in 2024. In connection with the Digitalisation Studies conducted to date, the FMA is performing an analysis exercise on the ”Austrian Digital Landscape” to evaluate the degree of digitalisation of business operations as well as operational resilience (IT landscape, ICT interdependencies, cyber resilience) of entities in the Austrian financial market. Preparations for the regulations contained in DORA are also being addressed. Entities will have the opportunity to make any necessary improvements in implementing the new regulatory standards, before the rules are required to be observed at the start of 2025.

This focus will enable the FMA to adequately take into account the implications of digitalisation in supervised entities into its risk-based approach to supervision and to incorporate it its general supervisory assessment of entities, and to identify the relevant ICT service providers for the Austrian financial market.

Contact and Q&A option

If you have any questions about DORA, you can contact the following e-mail address:

Quick links

Full text of the DORA Regulation: Regulation (EU) 2022/2554

DORA rules – 1st set: EBA, EIOPA, ESMA

Current status of consultations on DORA policy products: overview on the websites of EBA, EIOPA, ESMA

FMA Digitalisation Studies: Study on “Digitalisation of the Financial Market”

Insurance Supervision: Digitalisation

Pensionskassen Supervision: Digitalisation

Threat Intelligence-Based Ethical Red Teaming in Austria: TIBER-AT