Outdated browser

You are using an outdated browser. DNB.nl works best with:

DORA

Read aloud

The Digital Operational Resilience Act (DORA) is a European regulation aimed at increasing the digital operational resilience of the financial sector. Financial institutions must be aware that the preparations for the implementation of DORA will take some time. Despite the fact that some information will not be available until later in 2024, it is important that financial institutions already take as many steps as possible to prepare. We use this webpage to inform the various stakeholders on DORA-related topics.  

Most recent update: 2 July 2024 

DORA focuses on ICT risk management, ICT incidents, the periodic testing of digital operational resilience, the management of risks related to outsourcing to (critical) third parties and cooperation via information-sharing arrangements on cyber threats. DORA also introduces a framework for European supervision of critical third-party providers of ICT services. 

DORA is currently in the implementation phase, and institutions have until 17 January 2025 to comply with the legislation.   

The regulation  

DORA was published in the Official Journal of the European Union on 27 December 2022. DORA includes a regulation (NL / EN) and a directive (NL / EN). The regulation entered into force on 17 January 2023 and will apply from 17 January 2025. 

Technical standards  

The three European Supervisory Authorities (ESAs) are jointly responsible for the development of the technical standards for DORA. 

The development of the technical standards is divided into two sets.  

The first set was submitted to the European Commission (EC) on 17 January 2024. The regulatory technical standards (RTSs) were published in the Official Journal of the European Union and officially adopted as a result on 25 June 2024. The implementing technical standards (the ITS) follow a different process and will be adopted by the EC at a later date. The first set contains the following documents: 

  • RTS on ICT risk management framework and RTS on simplified ICT risk management framework(NL/EN)
  • RTS on criteria for the classification of ICT-related incidents(NL/EN)
  • ITS to establish the templates for the register of information (final report to the EC)
  • RTS to specify the policy on ICT services performed by ICT third-party providers(NL/EN)

The second set was open for public consultation until 4 March 2024. The consultation responses are currently being processed. The second set must be submitted to the European Commission by 17 July 2024. The second set contains the following documents:  

  • RTS and ITS on content, timelines and templates on incident reporting
  • GL on aggregated costs and losses from major incidents
  • RTS on subcontracting of critical or important functions
  • RTS on oversight harmonisation
  • GL on oversight cooperation between ESAs and competent authorities
  • RTS on threat-led penetration testing (TLPT) 

DNB uses cookies

We use cookies to optimise the user-friendliness of our website. 
Read more about the cookies we use and the data they collect in our cookie notice.

To ensure the proper operation of the website, De Nederlandsche Bank (DNB) uses functional cookies and analytics cookies, and has taken measures to ensure that these cookies have little or no impact on the privacy of website users.

Some pages include embedded content from external websites. These websites may use proprietary (tracking) cookies. This allows third parties to track visitor statistics, show personalised content and display targeted ads, for example. You can make your choice about allowing these optional cookies both when you first visit the website and when you navigate to a page with embedded content.