ESAs Launch Public Consultation on Second Batch of DORA Mandates

ESAs Launch Public Consultation on Second Batch of DORA Mandates

The ESAs (EBA, EIOPA, and ESMA) have opened a public consultation on the second batch of mandates under the Digital Operational Resilience Act (DORA), aimed at fortifying digital resilience in the EU financial sector.

In a significant step aimed at strengthening digital resilience within the European Union's financial sector, the European Supervisory Authorities (ESAs), comprising the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), have opened a public consultation on the second batch of mandates under the Digital Operational Resilience Act (DORA).

Policy Focus: Building a Robust Digital Framework

This comprehensive package encompasses four draft regulatory technical standards (RTS), one set of draft implementing technical standards (ITS) and two sets of guidelines (GL). These policy instruments aim to ensure a consistent and harmonised legal framework in the areas of major ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management and oversight over critical ICT third-party providers. By addressing these critical aspects, the ESAs aim to fortify the digital infrastructure of financial entities and ensure a resilient and secure operational environment


The consultation period is set to run until March 4, 2024, providing stakeholders and industry participants with a window to contribute their insights and feedback. This inclusive approach reflects the ESAs' commitment to gathering diverse perspectives and ensuring that the resulting regulatory framework is well-informed and effective.


Contents: Key Aspects under Scrutiny

The contents of this second batch of DORA mandates address essential aspects of digital resilience. Notable points of focus include incident reporting protocols, addressing costs stemming from major incidents, guidelines on subcontracting practices, harmonisation of oversight mechanisms, fostering cooperation in oversight activities, and the incorporation of threat-led penetration testing methodologies.

Next Steps

Anticipating a thorough consultation process, the ESAs plan to submit the draft technical standards to the European Commission and issue the guidelines by July 17, 2024. This timeline underscores the authorities' commitment to a diligent and timely regulatory development process.

Legal Basis

The Digital Operational Resilience Act (DORA) has been in force since January 16, 2023, and is slated to be applicable from January 17, 2025. This legal foundation underscores the proactive stance taken by the EU in addressing the evolving challenges posed by the digital landscape in the financial sector.

Engagement Opportunities

Stakeholders and interested parties have multiple avenues for engagement. A public hearing, scheduled as a webinar on January 23, 2024, offers participants the chance to delve deeper into the consultation's nuances. To participate, registration is required by January 19, 2023. Additionally, the deadline for submitting comments and contributions to the consultation is March 4, 2024. These engagement opportunities underscore the collaborative approach taken by the ESAs in shaping regulations that impact the broader financial ecosystem.

BDO Malta: Your Partner for DORA Compliance 

The European Union has set January 17th, 2025 as the deadline to achieve DORA Compliance. While this might seem a distant target, in fact achieving DORA Compliance is a very complex and challenging task which requires a concerted effort by the in-scope financial entities. 

At BDO Malta, we understand the profound impact that the journey towards DORA compliance has on such organisations. Our team of regulatory and compliance technical experts is dedicated to helping your company navigate this complex environment. Our comprehensive range of services includes: 
  • Board and Management Training on DORA; 
  • Expert guidance on DORA Compliance; 
  • Performing gap analyses; 
  • Conducting risk assessments; 
  • Developing and implementing incident management and business continuity plans; 
  • Providing continuous support and monitoring. 

Is your company ready for DORA? 
Get in touch