For each of the five DORA pillars, the CSSF survey asks whether the IFM has conducted a gap analysis, enquires about the gaps identified and asks whether mitigation plans are already in place or intended to be put in place, as well as the planned timeline for implementation. The CSSF also requests IFMs to self-assess their level of DORA readiness.
In force since 16 January 2023, DORA creates a regulatory framework on digital operational resilience whereby European financial entities are required to ensure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. DORA deals with a wide range of operational resilience topics, divided into 5 pillars:
- ICT risk management
- ICT-related incident management, classification and reporting
- Digital operational resilience testing
- Managing of ICT third-party risk
- Information-sharing arrangements
The DORA rules will become fully applicable as from 17 January 2025. The designated European Supervisory Authorities are currently developing technical standards with which financial entities must comply, whilst national competent authorities will oversee compliance and enforce the regime as required.
DORA applies to a range of financial entities regulated at EU level. This includes most credit institutions, payment institutions, electronic money institutions, investment firms, managers of alternative investment funds and management companies, as well as insurance and reinsurance undertakings and intermediaries. Microenterprises are also within scope of DORA, subject to specific provisions. DORA also applies to ICT third-party service providers of digital and data services, including providers of cloud computing services, software, data analytics services and data centres.