After a two-year implementation period, the EU Digital Operational Resilience Act (DORA) takes effect on 17 January 2025.
DORA is part of the EU’s Digital Finance Package and aims to strengthen the financial sector’s ability to withstand and recover from operational disruption.
Despite DORA coming into effect, many financial entities and information communication and technology (ICT) third-party service providers (TPPs) continue to work towards DORA compliance.
Following 17 January 2025, financial entities will need to, among other things:
- continue negotiating DORA-compliant contractual arrangements with TPPs to ensure such arrangements include the minimum contractual provisions set out in DORA;
- establish and maintain their registers of information related to their ICT services, and engage with their national competent authorities (NCAs) on the delivery of such information ahead of the deadline for the first submission of these registers by NCAs to the European Supervisory Authorities (ESAs) on 30 April 2025;
- monitor the adoption of the remaining technical standards on the subcontracting of ICT services and threat-led penetration testing as well as the publication of other DORA-related materials such as the highly anticipated guidance on the scope of ICT services;
- enhance legacy ICT systems and infrastructure or integrate them with new systems to assist with the implementation of DORA’s requirements;
- engage across multiple internal departments to avoid siloed efforts, miscommunication and/or gaps in compliance implementation, and ensure that the organisation is appropriately staffed to deal with ongoing DORA obligations;
- prepare for engagement with NCAs who will play a key role in the supervision and enforcement of DORA; and
- monitor the ESAs designation of TPPs as “critical” and determine any impact that such a designation may have on them where they utilise such a provider.
For further information on developments regarding DORA, please see our recent article (available here).