DORA Deadline Looms: ESAs advise entities to ‘get set’ for 17 January 2025

The Digital Operational Resilience Act (“DORA”) together with the technical standards and guidelines adopted under it will apply from 17 January 2025. On 4 December 2024, the European Supervisory Authorities (ESAs) issued a ‘Statement on DORA Application’ (the “Statement”) reminding in-scope financial entities and ICT third-party service providers of the application date and advising them to advance their DORA readiness preparations. The Statement confirms that there is no transitional period and emphasises the importance for financial entities to adopt a robust and structured approach to meet their obligations in a timely manner.

Other key points from the Statement include:

1. Gap Analysis – The ESAs expect financial entities to identify and address in a timely manner any gaps between their internal setups and the DORA requirements. The ESAs acknowledge that the starting point may vary across financial entities as some entities have for many years been subject to existing sectoral guidelines, regulations or supervisory expectations concerning ICT risk management, incident reporting and outsourcing while other financial entities have been subject to less sectoral requirements. In any event, the Statement notes that the ESAs and competent authorities have been providing guidance to support the smooth implementation of DORA and that they will continue to do so.
2. Reporting obligations – The ESAs remind financial entities to prepare for the new reporting obligations. In particular, financial entities must have a ‘register of ICT third-party contractual arrangements’ available for competent authorities (e.g. Central Bank of Ireland) in early 2025. The competent authorities will in turn need to report these to the ESAs by 30 April 2025. In creating such a register, the ESAs advise financial entities to take account of the ‘Implementing Technical Standards on the Register of Information’ (which was adopted by the European Commission on 29 November 2024) and also the lessons learnt from the ESAs’ dry-run exercise that was conducted in 2024. The ESAs also state that it is important that financial entities are equipped by 17 January 2025 to report major ICT-related incidents. An incident is considered a ‘major ICT-related incident’ where it has had an impact on critical services and meets certain materiality impact thresholds as set out in the ‘Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents’.
3. Critical Third-Party Providers (CTPPs) – ICT third-party service providers that are designated as a CTPP will be subject to a direct oversight regulatory regime by one of the ESAs. In the Statement, the ESAs invite ICT third-party providers that may meet the criticality criteria, which was published in May 2024, to assess their operational set-up against the requirements of DORA. Importantly, it notes that the first designation of CTPPs is expected to take place in H2 2025.

Concerns about delays in the finalisation of key standards and guidance had been raised, so the Statement signals a clear message from the ESAs that despite these delays, DORA will apply from 17 January 2025 and there won’t be any grace period. Some of the concerns arose from the European Commission’s rejection of the draft Implementing Technical Standards on the Register of Information. Also, the European Commission has yet to adopt the much-awaited Regulatory Technical Standards on Sub-Contracting. There is also some ongoing uncertainty regarding the interpretation of the concept of ‘ICT services’ under DORA, which is to be addressed in a FAQ.

For more information on DORA, please see our earlier briefings (here, here, here and here)

How can we help?

For assistance, please get in touch with one of the key contacts below, or your usual contact at McCann FitzGerald.