DORA – Digital operational resilience in the financial sector
Strengthening cybersecurity
DORA – objectives and thematic areas
DORA stands for the Digital Operational Resilience Act. The associated requirements, which are part of the European Commission’s Digital Finance Package, are based in particular on the DORA Regulation, which applies to almost all financial undertakings supervised by the Financial Market Authority (FMA) from 17 January 2025.
In particular, its objective is to strengthen cybersecurity in the EU financial sector’s cybersecurity as was already addressed in the European Commission’s FinTech Action plan 2018.
DORA also achieves a harmonisation and further development of the requirements on digital operational resilience and covers the following thematic areas:
FMA activities
The FMA is active in various committees focused on legal development and for reaching agreements on supervisory convergence, is currently making the necessary preparations for the new requirements and is also supporting supervised entities in their implementation of DORA.
The FMA selects thematic priorities for supervision, and in 2024 is drawing up its Austrian Digital Landscape: as well as evaluating the level of digitalisation of business operations, in particular, it also evaluates supervised entities’ operational resilience regarding their information technology landscape (IT Landscape) for interdependencies arising from information and communication technologies (ICT interdependencies) as well as their cyber-resilience.
This focus allows the FMA to include the implications of digitalisation among supervised entities adequately in its risk-based approach to supervision as well the general supervisory assessment of undertakings and to identify the relevant ICT service providers in the Austrian financial market.
The Austrian Digital Landscape is a continuation of the Digitalisation Studies conducted to date.
DORA-related questions should be addressed to the following e-mail address:
The webinar organised by the FMA on 5 November 2024 presented various DORA-related topics and questions were answered.
The presentation from the event and questions are available in German only.
Präsentationsunterlagen DORA-Webinar 5.11.2024 (Format: pdf, Size: 1,6 MB, Language: German)
Hinweise zum Webinar 5.11.24 (Format: pdf, Size: 214,6 KB, Language: German)
As announced, ‘Questions and answers’ on the respective subject areas will also be updated subsequently.
General questions regarding DORA
DORA applies from 17.01.2025. No transitional periods are planned.
Article 2 (1) of the DORA Regulation (DORA) states that it applies for:
- credit institutions,
- payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366,
- account information service providers,
- electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC,
- investment firms,
- crypto-asset service providers as authorised under a Regulation of the European Parliament and of the Council on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (‘the Regulation on markets in crypto-assets’), and issuers of asset-referenced tokens;
- central securities depositories,
- central counterparties,
- trading venues,
- trade repositories,
- managers of alternative investment funds,
- management companies,
- data reporting services,
- insurance and reinsurance undertakings,
- insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries,
- institutions for occupational retirement provision,
- ratings agencies,
- administrators of critical benchmarks,
- crowd financing service providers,
- securitisation repositories,
- ICT third-party service providers.
It does not apply to (Article 2 (3) DORA):
- managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU;
- insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC;
- institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total;
- natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU;
- insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises;
- post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU.
The DORA Enforcement Act also contains additional rules regarding its scope of application, which extends the scope of application of DORA to cover “national” credit institutions under Article 1 para. 1 of the Austrian Banking Act (BWG; Bankwesengesetz) and excludes non-profit housing associations in the public interest.
Article 3. (1) The rules contained in this Federal Act, Regulation (EU) 2022/2554, as well as delegated and implementing acts issued based on that Regulation shall apply to credit institutions pursuant to Article 1 para. 1 BWG that are not any of the legal entities listed in points a to t of Article 2(1) of Regulation (EU) 2022/2554, as if they were credit institutions pursuant to Article 2(1) point a of Regulation (EU) 2022/2554.
(2) Regulation (EU) 2022/2554 and this Federal Act shall not apply to enterprises recognised as non-profit housing associations where they conduct transactions listed in Article 1 para. 1 BWG that are part of their core transactions.
In addition, reference is made to the requirements for simplified ICT risk management framework (Article 16 DORA).
Furthermore, DORA also contains simplifications for “microenterprises” (Article 3 (60) DORA). Microenterprises are financial entities, other than a trading venue, a central counterparty, a trade repository or a central securities depository that employ fewer than 10 persons and that have an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million.
The principle of proportionality is to be taken into account regarding the application of rules in DORA with the regard to the size and overall risk profile, as well as the nature, scope and complexity of the services, activities, and transactions conducted by financial undertakings.
While this principle is fundamentally defined for the Chapter on ICT risk management (Article 4(1) DORA), it only applies for the areas of ICT-related incidents, digital operational resilience testing and managing of ICT third-party risk only as specifically provided for in the relevant rules (Article 4(2) DORA).
News
The Implementing Regulation (EU) 2024/2956 on the Register of Information was published on 02.12.2024.
The ESAs published a Decision on reporting of information necessary for the designation of critical ICT third-party service providers on 15 November 2024:
In 2025, registers of Informations should be prepared for the reference date 31 March 2025. The competent authorities should submit registers of information to the ESAs by 30 April 2025. Supervised entities are expected to report their registers on information to the FMA for 2025 in the first couple of weeks in April.
The ESAs have also published Validation rules and a visual representation of the Datamodel.
An ESA workshop about registers on information and the Dry Run exercise will take place on 18 December 2024. (Registration Link)
The webinar organised by the FMA on 5 November 2024 presented various DORA-related topics and questions were answered.
The presentation from the event is available in German only.
Präsentationsunterlagen DORA-Webinar 5.11.2024 (Format: pdf, Size: 1,6 MB, Language: German)
As announced, ‘Questions and answers’ on the respective subject areas will also be updated subsequently.
FMA and OeNB remarks about questions received during the webinar held on 05.11.2024:
Hinweise zum Webinar 5.11.24 (Format: pdf, Size: 214,6 KB, Language: German)
In a joint press release, the European Supervisory Authorities (EBA, EIOPA and ESMA – “ESAs”) issued an opinion about the European Commission’s rejection of the draft Implementing Technical Standards (ITS) on registers of information under DORA.
ESAs Press Release on the European Commission's Rejection of the ITS on Registers of Information
More detailed in formation can be found in the foldout “ITS Registers of Information” under “Legal bases”.
Questions regarding FMA and OeNB’s supervisory expectations
ICT inspections by the Oesterreichische Nationalbank (OeNB) and the Austrian Financial Market Authority (FMA) will also consider rules under the DORA regime in the future. At the current juncture, there is no intention to conduct on-site inspections focussing solely on DORA.
Other supervisory measures, for example questionnaires, deep dives or cyber exercises will continue to be conducted in line with the priorities for supervision.
Further DORA-specific information submissions in addition to the register of information are not expected to take place in late January 2025.
The FMA and OeNB are well aware that specific challenges arise regarding the DORA requirements.
The DORA regulations do not stipulate a transitional period regarding their application.
The contents on this website as well as hyperlinks to third party websites serve the purpose of providing general and non-binding information. These “Questions and Answers” do not constitute the FMA’s binding interpretation and in particular do not constitute interpretation within the scope of the question and answer processes (Q&As) of the three European Supervisory Authorities (EBA – European Banking Authority, ESMA – European Securities and Markets Authority, and EIOPA – European Insurance and Occupational Pensions Authority). All information on this website is provided without any guarantee, especially with regard to the up-to-dateness, completeness and correctness, and the FMA, including its employees or the persons responsible for this website, assume no liability whatsoever for the content; in addition, the FMA neither guarantees nor assumes liability for the use of hyperlinks or content that can be accessed via them.
More about DORA
Click on the respective thematic area to obtain further information.
- ICT risk management
- ICT-related incidents
- Digital operational resilience testing
- Management of ICT third-party risk
- Oversight framework of critical ICT third-party service providers
- Exchange of information & contingency exercises
- ESA Q&As
Legal bases
Regulation (EU) 2022/2554 covers the fundamental standards on digital operational resilience for the EU financial sector.
Directive (EU) 2022/2556 amends existing sectoral directives to ensure their consistency with DORA requirements.
The DORA Enforcement Act (DORA-VG) which was passed by the National Council on 03 July 2024 implements the DORA Regulation and amends other Regulations in Austria.
Based on the empowerments afforded to the European Commission in the DORA Regulation the following legal acts have been issued:
Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities
Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid
Supplementary Implementing and Regulatory Technical Standards to Regulation (EU) 2022/2554:
Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the register of information
Publication in the EU Official Journal outstanding:
- Commission Delegated Regulation supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards on harmonisation of conditions enabling the conduct of the oversight activities (not in force until it is published in the Official Journal)
- Commission Delegated Regulation supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats (not in force until it is published in the Official Journal)
Finals drafts in the second wave
The final ESA consultation drafts for the second wave of draft Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) as well as Guidelines were published on 17 July 2024:
Final report draft RTS on joint examination teams (Format: pdf, Size: 545,1 KB, Language: English)
Final report draft RTS and ITS on incident reporting (Format: pdf, Size: 1,4 MB, Language: English)
Final report DORA RTS on subcontracting (Format: pdf, Size: 745,5 KB, Language: English)
Second wave of consultations
The public consultations for the second wave of draft Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) as well as Guidelines ran until 04 March 2024:
CP on draft RTS subcontracting (Format: pdf, Size: 460,7 KB, Language: English)
CP on draft GL on costs and losses (Format: pdf, Size: 367,9 KB, Language: English)
CP on draft RTS on oversight harmonisation (Format: pdf, Size: 582,5 KB, Language: English)
CP on draft Guidelines on oversight cooperation (Format: pdf, Size: 504,2 KB, Language: English)
CP on draft RTS on TLPT (Format: pdf, Size: 703,0 KB, Language: English)
Finals reports in the first wave
On 17 January 2024, the European Supervisory Authorities published the first final draft Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS):
Final report on draft ITS on Register of Information (Format: pdf, Size: 2,9 MB, Language: English)
First wave of consultations
The public consultations for the first wave of draft Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) as well as Guidelines ran until 11 September 2023:
CP on draft RTS on ICT risk management (Format: pdf, Size: 953,0 KB, Language: English)
CP on draft ITS on register of information (Format: pdf, Size: 1,5 MB, Language: English)
Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the register of information
History:
ESAs Press Release on the European Commission's Rejection of the ITS on Registers of Information
Final report on draft ITS on Register of Information (Format: pdf, Size: 2,9 MB, Language: English)
EU-Systemic Cyber Incident Coordination Framework (EU-SCICF):
ESAs Factsheet on the EU SCICF (Format: pdf, Size: 2,2 MB, Language: English)
ESAs establish framework to strengthen coordination in case of systemic cyber incidents