Digital Operational Resilience Act (DORA) adopted by Council of the EU

Following agreement in trilogue in May 2022, the Council formally adopted DORA on 28 November 2022.

Key messages

DORA sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector (such as banks, insurance companies and investment firms) as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them, such as cloud platforms or data analytics services.

Key impacts on boards

Two points identified as impacting boards of financial entities are:

  • Creation of a ICT risk management framework around a set of key principles and requirements for boards to determine risk tolerance
  • Setting up EU-wide standards for digital operational resilience for companies to educate the board on how these tests are run

Next steps

Member states should adopt relevant national law to apply DORA by end 2024 (24 months from entry into force, which is 20 days after publication in the EU Official Journal). EBA, ESMA and EIOPA will be developing related technical standards.


Digital finance: Council adopts Digital Operational Resilience Act – 28 November 2022


Nordic Board & Executive Advisory, 6 December 2022

Fandt du dette nyttigt?
$(document.head).append(''); $(document.head).append('