DORA – One week to go

One week to go … what financial entities and suppliers should be focusing on now as the deadline for DORA implementation approaches

2024 was undoubtedly a challenging year for regulated financial entities undergoing preparations for the EU Digital Operational Resilience Act (“DORA”) – a new regulation for the EU financial sector setting out a comprehensive set of rules designed to ensure that financial institutions, insurance companies and other businesses offering financial services in the EU can withstand and recover from technology issues such as cyber events and operational failures.

Amidst the pressure of other regulatory changes and within a challenging economic and geopolitical environment, regulated financial entities have had to undertake a review of their governance and contractual arrangements for their organisation-wide use of ICT services, which range from cloud services to IT support and maintenance, data subscription services, cybersecurity services, among others. This exercise requires a coordinated effort across a diverse range of business functions including business continuity planning, technology, information security, disaster recovery and incident response, supplier management, exit planning, testing, audit and regulatory reporting and coordination. 

Observations as the compliance deadline approaches

Some key themes have become clear at this stage:

1. Many financial entities are struggling to meet the deadline. The finalisation and formal adoption of DORA Level 2 – a collection of regulatory and implementation standards (RTS and ITS) containing additional details and technical standards which supplement the main text of DORA – has taken longer than expected. During the course of 2024, many financial entities were hesitant to implement changes without having certainty as to the technical requirements that would apply to them. Notably, the implementing technical standards concerning standard templates for the register of information (“Register of Information ITS”) was only adopted by the Commission on 29 November 2024, and the draft regulatory technical standards on the subcontracting of ICT services supporting critical or important functions (“Subcontracting RTS”) have not yet been adopted by the Commission. The Subcontracting RTS will have a key impact on the subcontracting chain and, consequently, the expectations of financial entities and suppliers as they update contracts to meet DORA requirements.
2. Regulators are sticking to the deadline. Despite the challenges that financial entities have faced in meeting the DORA compliance deadline, the clear message from regulators is that there will be no grace period. The European Supervisory Authorities (“ESAs”) issued a joint statement on 4 December 2024 in which they emphasised “the importance for financial entities to adopt a robust, structured approach in order to meet their obligations in a timely manner” and called on financial entities and third-party providers “to advance their preparations to ensure their readiness.”
3. Suppliers have work to do, too.  Suppliers of ICT services are indirectly impacted by DORA as they face pressure from their EU financial entity customers to implement technical and contractual changes to meet regulatory requirements. For many, this is the first time they have had to address financial services regulatory requirements. The effort involved in implementing contractual changes for a large number of customers, in a short space of time, is significant in itself, but for many suppliers the greater challenge is being able to meet those requirements in practice. Among others, the extensive audit requirements, subcontracting restrictions and service location obligations are difficult for many suppliers to meet in practice. The suppliers that have proactively prepared for customers’ DORA-related requirements will invariably be better placed to address these issues than those that have taken a ‘wait and see’ approach.

There are still open questions and opposing views about the scope and interpretation of DORA key concepts, including the interpretation of “ICT services” and the assessment as to whether an ICT service supports a financial entity’s “critical or important functions”. Until guidance is issued, or settled practice evolves, these issues will continue to be debated between customers and their suppliers – which is causing further delay in financial entities meeting the DORA compliance deadline.

For large suppliers that are expected to be designated as critical ICT third-party service providers, significant preparations are likely to be underway. Those that are designated will be directly subject to the DORA Oversight Framework, facing the potential of significant penalties for non-compliance. 

What should regulated financial entities and service providers focus on now?

At this stage, the priority for regulated financial entities is to take a pragmatic approach to achieving compliance in key areas in as timely a manner as possible. The ESA’s joint statement indicated that supervision of DORA requirements would be undertaken “in a risk-based manner”. Financial entities should therefore prioritise the most significant risk areas, including the resilience of their critical or important functions. Financial entities should, in particular, focus on: 

• completing their registers of information on ICT third-party providers’ contractual arrangements. According to the ESA’s joint statement, these will need to be available for competent authorities “early in 2025”; 
• updating their incident management processes to ensure that financial entities are prepared to classify and report major ICT-related incidents from the compliance deadline; and
• remediation of contractual arrangements with ICT service providers, prioritising the ICT services that support their critical or important functions.

For suppliers, their priority will be meeting the requirements of customers in a timely manner. Suppliers should consider preparing standard DORA-compliant contract clauses, if they have not done so already, in readiness for the surge of requests from financial entity customers.

Authored by Louise Crawford.