Compliance Briefing — December 27, 2022
The Digital Operational Resilience Act was published in the EU Official Journal on 27 December 2022, launching a two-year implementation window for financial entities and critical ICT providers.
Executive briefing: Regulation (EU) 2022/2554 (the Digital Operational Resilience Act, DORA) entered into force on 16 January 2023 following Official Journal publication on 27 December 2022. Financial entities must establish ICT risk management frameworks, incident reporting, testing, and third-party oversight by 17 January 2025.
Key compliance checkpoints
- ICT risk management. Implement governance, protection, detection, response, and recovery capabilities aligned with DORA Articles 5–16.
- Incident reporting. Prepare multi-stage reporting (initial, intermediate, final) to competent authorities within stipulated timelines.
- Third-party management. Classify ICT service providers, maintain registers of contractual arrangements, and prepare for oversight of critical providers.
Operational priorities
- Testing programmes. Design threat-led penetration testing and scenario-based exercises to meet advanced testing requirements.
- Contract remediation. Update ICT outsourcing agreements to include access, audit, resilience, and exit provisions mandated by DORA.
- Implementation governance. Create cross-functional steering committees to track readiness across ICT, risk, and compliance functions.
Enablement moves
- Deploy tooling to aggregate incident metrics, testing results, and third-party inventory data.
- Align DORA programmes with existing frameworks (EBA Guidelines, NIS2, operational resilience rules) to avoid duplication.
- Engage ICT providers early to validate criticality assessments and supervisory expectations.
Sources
- Regulation (EU) 2022/2554 on digital operational resilience for the financial sector
- Council press release on DORA approval
Zeph Tech orchestrates DORA readiness through ICT risk governance, incident reporting automation, and third-party oversight playbooks.