DORA is fully applicable – what do you need to know today?

After a two-year transition period, the Digital Operational Resilience Act (DORA) is now fully enforceable. During this transition period, the comprehensive requirements of DORA, one of the most significant regulatory frameworks for digital operational resilience in the financial sector, have already posed significant challenges for affected companies. To avoid any last-minute issues, we summarise the essential requirements of DORA and outline immediate next steps that need to be taken.

What exactly is DORA and which companies are affected?

DORA provides uniform requirements for the security of network and information systems. Its aim is to standardise IT security within the European market and address the continuously increasing cybersecurity risks in the financial sector.

A wide range of financial entities are affected. This includes credit institutions (such as banks), payment institutions, insurance companies, reinsurance companies, insurance intermediaries, reinsurance intermediaries, as well as IT services providers operating in the financial sector.

What are the key requirements of DORA?

DORA brings a series of comprehensive requirements. The key requirements include, in particular:

Governance and risk management system

Companies must establish a governance and control framework that clearly defines roles and responsibilities for ICT-related functions and sets up reporting channels for specific information. Additionally, an ICT risk management framework must be implemented. This should include strategies, policies, procedures, and applications to protect information and ICT assets from negative impacts. This framework must be reviewed and updated at least annually.

Resilience requirements and testing obligations

Financial entities must develop a program to assess their digital operational stability, identify vulnerabilities, and take corrective actions. The procedures include vulnerability assessments, network security audits, penetration tests, and source code reviews.

Security incidents and reporting obligations

A process for monitoring, logging, and reporting ICT-related security incidents must be implemented. These incidents must be classified by severity, with serious incidents and significant incidents (increased threat relevance) being reported to the financial supervisory authorities. Customers and users must also be informed about the incidents and their impact.

Risks associated with ICT third-party services providers

Financial entities must comprehensively assess and monitor their ICT third-party services providers. This includes maintaining an information register of all outsourced ICT processes and providing this information to the competent authorities upon request. Before entering into contracts with ICT third-party services providers, financial entities must evaluate whether the failure of a provider could affect their financial stability or business continuity. Regulatory requirements and potential risks, such as ICT concentration risks, must also be considered.

Contractual requirements for ICT third-party services providers and oversight

Contracts with ICT third-party services providers must comply with DORA's specific requirements, such as the inclusion of service level agreements. This also applies to existing agreements. The contracts must ensure that these providers meet adequate IT standards, especially for critical functions. European supervisory authorities may designate certain ICT providers as “critical” if their failure could have significant systemic impacts on the financial sector. These critical ICT third-party service providers are then subject to special oversight by the supervisory authorities.

What are the immediate next steps?

As financial institutions finalize their preparations, it is crucial to closely monitor updates from regulatory authorities to address any last-minute challenges:

The Joint Committee of the European Supervisory Authorities (ESAs) emphasized in December that financial entities should conduct gap analyses of DORA’s requirements to identify and address any deficiencies. National authorities are offering additional support through checklists that can assist with such gap analyses and ensure companies are fully prepared for DORA’s implementation.

The Committee also stressed that financial institutions must prepare for new reporting obligations. Specifically, institutions need to have their registers of ICT third-party provider contractual arrangements ready for submission to the competent authorities in early 2025, as these must be reported to the ESAs by April 30, 2025. Financial entities should ensure they use the implementing technical standards recently adopted by the European Commission. National authorities will provide details on the specific deadlines for submitting this information.

Moreover, financial institutions must be prepared to classify and report major ICT-related incidents starting today. It is essential for these companies to verify whether the necessary processes are already in place or if adjustments are required.

Financial institutions must act promptly to ensure full compliance with DORA, as regulators have made it clear that there will be no additional transition period. Inadequate preparation could lead to serious consequences, including fines.