DORA - Digital Operational Resilience Act for the Financial Sector

The Regulation (ΕU) 2022/2554 (Digital Operational Resilience Act - DORA) «on digital operational resilience for the financial sector» (hereafter Regulation), provides that all Financial Entities, which are within the scope of the Regulation, should follow the same approach when managing Information and Communication Technology (ICT) risks, taking into account their size, their overall risk profile, as well as the nature, scale and complexity of their services and operations.

The Regulation provides for requirements mainly related to: 

  • ICT risk management.
  • ICT-related incident management, classification and reporting.
  • Digital operational resilience testing.
  • Managing of ICT third-party risk.

Detailed information for each section as well as supporting documents are listed below:

Information and Communication Technology Risk Management

CHAPTER II of the Regulation introduces requirements related to the Information and Communication Technology Risk Management which focus on the following actions

CHAPTER II of the Regulation introduces requirements related to the Information and Communication Technology Risk Management which focus on the following actions:

  • Identification 
    Identification and recording of ICT-related information assets and functions.
  • Protection and Prevention
    Continuous monitoring and control of the ICT systems functioning.
  • Detection
    Detection of anomalous activities, network performance problems, ICT and security incidents.
  • Response and Recovery
    Development and testing of Business Continuity and Disaster Recovery Plans.
  • Restoration and Recovery
    ICT systems backup policies, restoration and recovery procedures.

Further details regarding these requirements are also included in the following documents related to the Regulation: 

Regulatory Technical Standards (RTS) on ICT risk management tools, methods, processes and policies and on simplified ICT risk management framework

Joint Guidelines (GLs) on estimation of aggregated annual costs and losses caused by major ICT-related incidents

ICT-related Incident Management, Classification and Reporting

CHAPTER III of the Regulation introduces requirements related to the ICT-related Incident Management, Classification and Reporting which focus on the following actions

CHAPTER III of the Regulation introduces requirements related to the ICT-related Incident Management, Classification and Reporting which focus on the following actions:

  • Management 
    Development and implementation of an ICT-related incident detection, management and notification process.
  • Classification 
    Assessment of the ICT-related incident impacts and classification based on defined criteria.
  • Reporting
    Reporting of ICT-related incidents, which are classified as major, to the Bank of Greece based on the requirements of the Regulation regarding:
  • The reporting deadlines (initial, intermediate and final notification).
  • The content of each notification.

In the event of a major ICT-related incident, in accordance with the criteria of the Regulation, supervised institutions must send a completed relevant template, using a secure communication channel, to the following email address: ICTIncidentReporting@bankofgreece.gr. Additionally, significant cyber threats may be reported through the same secure communication channel, by sending the corresponding template. The above templates as well as the corresponding validation rules are available at the end of the website.

For the process of implementing the secure communication channel, supervised institutions may contact ict.supervision@bankofgreece.gr for instructions.

Further details regarding these requirements are also included in the following documents related to the Regulation:

Regulatory Technical Standards (RTS) specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents 

Joint Technical Standards (JTS) on major incident reporting 

Digital Operational Resilience Testing

CHAPTER IV of the Regulation introduces requirements related to the Digital Operational Resilience Testing which focus on the following actions

CHAPTER IV of the Regulation introduces requirements related to the Digital Operational Resilience Testing which focus on the following actions:

  • Programme 
    Development, maintenance and review of a Digital Operational Resilience Testing Programme.
  • Testing
    Execution of appropriate tests on all ICT systems and applications supporting critical or important functions at least annually.
  • Advanced Testing based on Threat-Led Penetration Tests (TLPT)
    Advanced testing of ICT tools, systems and processes based on Threat-Led Penetration Tests (TLPT), applicable only for the selected Financial Entities, based on the requirements of the Regulation regarding:
  • The periodicity (at least every 3 years).
  • The scope (some or all critical or important functions, production systems).
  • The assignment of the TLPT execution (internally and/or externally).
  • The reporting of findings and selected corrective actions.

Further details regarding these requirements are also included in the following document related to the Regulation:

Joint Regulatory Technical Standards (RTS) specifying elements related to threat led penetration tests

Managing of ICT Third-Party Risk

CHAPTER V of the Regulation introduces requirements related to Managing of ICT Third-Party Risk which focus on the following actions
 

CHAPTER V of the Regulation introduces requirements related to Managing of ICT Third-Party Risk which focus on the following actions:

  • Strategy and Management
    Development and review of the ICT Third-Party Risk Management Strategy and management of the related risks.
  • Register of Information
    Maintenance of the Register of Information in relation to all contractual arrangements with ICT third-party service providers and regular reporting to the Bank of Greece based on the requirements of the Regulation.

Supervised institutions shall submit to the Bank of Greece, by April 15, 2025, the register of information with a reference date of March 31, 2025. For the creation and submission of these registers of information, supervised institutions must apply the implementing technical standard (ΕU) 2024/2956, in accordance with the currently in force instructions provided in the link Preparations for reporting of DORA registers of information | European Banking Authority.

  • Concentration Risk
    Assessment of the contractual arrangements in relation to the provision of ICT services supporting critical or important functions with the same service provider.
  • Contractual Provisions
    Amendment of contracts with ICT third-party service providers in accordance with the requirements of the Regulation.

Further details regarding these requirements are also included in the following documents related to the Regulation:

Implementing Technical Standards (ITS) to establish the templates for the register of information

Regulatory Technical Standards (RTS) to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers

Joint Regulatory Technical Standards (RTS) on subcontracting ICT services supporting critical or important functions

This website uses cookies for the optimization of your user experience. Learn More
I Accept