Status: In force, applies as of 17 January 2025.
EUR-Lex-link: Adopted and published version, including other language versions, can be found here.
Full name: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.
Type: Regulation.
Objective and key elements:
- Increase operational resilience and cyber security within the financial sector
- A possibility to form information sharing arrangements between financial entities
- Introduces binding rules for ICT risk management, incident reporting, resilience testing and third-party risk management (TPRM)
- Allows FS supervisors to oversee Critical ICT Third Party Providers (CTPPs) including Cloud Service Providers (CSPs)
- Includes detailed requirements on content of agreements with third party providers
Relevant to: Traditionally regulated entities within the financial sector, such as banks, fintech as well as newer Fintech-entities such as crypto, but also third-party suppliers to such entities.
Next steps:
- The draft technical standards were provided to the EU Commission, where many have already been adopted by the Commission, and some are awaiting adoption in the near future (please see below for more information).
- Local law implementation in respect of enforcement: Member States to notify any laws, regulations and administrative provisions related to enforcement, including any relevant criminal law provisions, to the Commission, ESMA, the EBA and EIOPA by 17 January 2025 at the latest.
- Sweden specific: On 17 January 2025, the requirements to report serious ICT-related incidents under the DORA regulation came into effect. The Swedish FSA published reporting forms that need to be complete. This applies to both the reporting of serious ICT-related incidents and the voluntary reporting of significant cyber threats.
Technical standards:
The European Supervisory Authorities (European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority) developed technical standards that will supplement and specify the rules of DORA. From a regulatory perspective, technical standards are essentially complementary, specifying in more detail the requirements under specific articles of DORA.
Public consultations for the first and the second batches took place in 2023-2024 and led to specific changes to the technical standards. A set of draft regulatory technical standards (RTS), set of Implementing Technical Standards (ITS) were submitted to the Commission by the ESA, they are at various stages of adoption (outlined below).
RTS (establishing the content for the reports and the timeline):
- Regulatory Technical Standards setting out detailed requirements on ICT Risk Management Framework (Articles 15-16 DORA) is available here.
- Regulatory Technical Standards setting out detailed requirements on the classification of ICT-related incidents (Article 18.3 DORA) is available here.
- Regulatory Technical Standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats (article 19 in DORA) is available here. (the Reporting RTS)
- Regulatory Technical Standards specifying elements related to threat led penetration tests (Article 26(11) DORA) is available here.
- Regulatory Technical Standards to specify the policy on ICT services performed by ICT third-party providers (Article 28.10 DORA) is available here.
- Regulatory Technical Standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions (Article 30(5) DORA) is available here.
- Regulatory Technical Standards on harmonisation of conditions enabling the conduct of the oversight activities (Article 41(1)(a), (b) and (d) DORA) is available here.
- Regulatory Technical Standards to specify the criteria for determining the composition of the joint examination team for the conduct of the oversight activities (Article 41(1)(c) DORA) is available here.
ITS (establishing the standard reporting forms, templates and procedures):
- Implementing Technical Standards with regard to standard templates for the register of information in relation to all contractual arrangements and use of ICT services (Article 28.9 DORA) is available here.
- Implementing Technical Standards with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat (Article 19 DORA) is available here. (the Reporting ITS)
Guidelines apply from 17 January 2025:
- Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under DORA is available here.
- Joint Guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities under DORA is available here.
Other:
The ESAs also published:
- ESAs Decision the reporting by competent authorities to the ESAs of information necessary for the designation of critical ICT third-party service providers (available here).
- Delegated Regulation on further specifying the criticality criteria for critical ICT 3rd party service providers, (Article 31 DORA) available here.
- Delegated Regulation on determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers (Article 43 DORA), available here.
(Last updated 28 October 2025)