[co-authors: Anthony Day, David Ossack, Evelina Dimitrova]
It’s DORA day! The EU financial services sector has been anticipating today since the Digital Operational Resilience Act was published in December 2022. DORA brings a significant shift to the sector in terms of how financial entities must manage risk linked to use of technologies, and it has created one of the most comprehensive gap analysis and remediation exercises to face the sector in recent years.
But it’s fine, because the industry has had 2 years to prepare. And if you’ve not done anything about it yet, there’s always the grace period, right?
Well, according to European Supervisory Authorities (ESAs) and many national authorities, no, since DORA is not designed to be new, and most large organisations are expected to be compliant in some ways through existing policies and processes. Furthermore, at least in theory, there have been 2 years to prepare even though the majority of technical and implementing standards – the bits that flesh out the DORA requirements – were only adopted in the past few months.
In a nutshell, all of DORA applies from today, despite 3 sets of standards are still under legislative scrutiny and the text for 2 significant standards (on sub-contracting and threat-led penetrating testing) has yet to be adopted. So, it is not surprising that remediation exercises are still ongoing.
As they say: ‘we are where we are’. But what if you are wondering where to go from here?
In a recent interactive Q&A webinar, DLA Piper and Elixirr explored current challenges faced by clients navigating DORA requirements and offered practical steps to implement DORA successfully. This included guidance on activities to prioritise right now. Here are some takeaways.
For financial entities
The key priorities:
- Focus on critical or important functions: A heightened set of regulatory requirements apply to ‘critical or important functions’ (CIFs). Therefore, identifying your critical or important functions (CIFs) and prioritising the remediation of contracts for services supporting CIFs is essential. This will help you shape and prioritise your DORA compliance activity in accordance with the principle of proportionality.
- Incident management framework: The ESAs have highlighted the importance of financial entities being ready to classify and report on major ICT-related incidents from today (17 January 2025).
- Register of information – a likely early enforcement action: The ESAs have singled out reporting as a priority, flagging that financial entities will need to have their registers available for competent authorities early in 2025. National authorities will have to submit registers to ESAs by end of April to allow concentration analysis and designation of Critical ICT Service providers in the second half of this year1.
For service providers
While DORA does not apply directly to ICT Service Providers (unless designated as CTPP), preparing for it can be a powerful marketing tool. Developing a financial services offering that allows your client to comply with DORA shows maturity, and it may give you a competitive edge in pre-contractual due diligence and procurement processes.
Here are a few steps that can help:
Step 1 – Mapping
Mapping includes identification of in-scope services, clients / client groups that are in-scope of DORA, relevant contract terms, subcontracts and dependencies on subcontractors.
Step 2 – Operational processes
Identify existing operational processes that may support contractual obligations under the DORA mandatory contract terms (such as incident reporting, service levels, subcontractor controls) and identify any adjustments required. This allows you to put a spotlight on how you are already supporting your clients and reassure them that they may be closer to compliance than anticipated, making remediation exercises more straightforward.
Step 3 – Documentation
Consider producing a template financial services addendum that maps to DORA’s contractual requirements. You may also consider producing a mapping document or white paper presenting how your delivery model answers such requirements. Even if you end up contracting on the client’s terms, this exercise will help you know how you are addressing DORA requirements and respond to any client requests.
For service providers likely to be designated as critical for the financial sector
For the first time, financial services regulation will apply directly to service providers designated as critical to the sector. The designation of critical ICT third-party service providers (CTPPs) under DORA is not expected to happen before Q3 2025. However, any service provider that thinks it may meet the criteria for CTPP status2 should be assessing its operational set-up against the DORA requirements.
[View source.]
