Add a bookmark to get started

9 February 20243 minute read

DORA Regulation: First steps in secondary legislation

January 17, 2025, will mark the entry into force of Regulation (EU) 2022/2554, known as the Digital Operational Resilience Act, or simply DORA. Along with the Regulation on crypto-asset markets, it’s part of the digital finance package. DORA represents a revolutionary step for the financial sector and ICT service providers, introducing significant obligations to strengthen digital operational resilience.

The Regulation also mandated the European supervisory authorities (EBA, EIOPA, and ESMA – the European Supervisory Authorities or ESAs) to develop the implementing technical standards (ITS) and the regulatory technical standards (RTS). These secondary standards aim to harmonize, clarify, and specify the rules of DORA.

Last January 17, the ESAs published the first set of ITS and RTS, which is now under the scrutiny of the European Commission.

In this and subsequent articles, we’ll analyze the content of this first set of ITS and RTS, evaluating their impact and the possible implementation by the interested parties.

To begin, it’s necessary to review the approval procedure for the RTS and ITS. This is to have a clear picture of the next steps and the timing that can be expected for the final approval of the standards.

The procedure for the entry into force of the RTS and ITS is governed by Regulations (EU) 2010/1093, 2010/1094, and 2010/1095, which outline a process that, although similar in its fundamental phases, has specificities related to the type of technical standard under examination. The key steps of the procedure are:

  • The ESAs set out a first draft of the standards and submit it to public consultations.

  • Following the observations received during the consultations, the ESAs modify the drafts and, within the deadlines set by DORA (January 17 for the first set, July 17 for the second set), publish the final drafts and submit them to the Commission for approval.

  • The Commission has three months to approve, reject, or propose modifications to the standards. This term can be extended by one month with reference to ITS only.

  • If it rejects or proposes modifications to the drafts, the Commission returns the drafts to the ESAs, which, within six weeks, make the necessary changes to the text to adapt it to the Commission’s observations.

  • Once the modified text is received, the Commission can adopt the standards, accepting all or some of the modifications made.

Regarding the RTS, the European Parliament and the Council might intervene. They can, within three months from the notification of adoption of the RTS by the Commission, raise objections to the standard. The term of three months can be extended by an additional three months.

If objections are raised within the prescribed terms, the standard will not come into force. Otherwise, it will be considered adopted.

While waiting for the final approval, the standards published by the ESAs represent guidelines that the interested parties can follow, ensuring that the principles and requirements provided by the DORA Regulation are correctly adopted, in relation to both suppliers and in internal cyber-risk management.

In the coming weeks, we will publish a more detailed examination of the RTS and ITS drafts published by the ESAs, along with a series of video snippets to analyze the most significant aspects of DORA.