DORA: Get ready, get set, take action

The regulation aims to strengthen the digital operational resilience of the financial sector in Europe by establishing a unified framework for enhancing cybersecurity and operational resilience of that sector.

It applies to financial entities, which include credit institutions, payment service providers, e-money institutions, investment fund managers, crypto-asset service providers, as well as insurance and reinsurance companies. DORA also applies to certain third-party service providers.

Financial entities are required to comply in five key areas:

• Governance and organization.
• ICT risk management and ICT incident reporting.
• Digital operational resilience testing.
• ICT third-party risk management.
• Information and intelligence sharing.

Why should entities falling under DORA get ready now?

There have been discussions about whether DORA coming into force should be postponed. There have been ongoing uncertainties regarding (i) the definition of ICT services under the regulation, (ii) the territorial and material scope of DORA, and (iii) missing regulatory and implementing technical standards (RTS and ITS), including the RTS on subcontracting, which have yet to be approved by the European Commission

However, on December 4, the European Supervisory Authorities (ESAs) emphasized that DORA does not provide for a grace period, and stressed the importance of financial entities adopting a robust, structured approach to meet their obligations under the regulation in a timely manner.

Therefore, there is only one month left to comply with DORA requirements.

Failure to comply with DORA may result in administrative fines imposed by the competent authority. For example, Luxembourg regulators (e.g., the Commission de Supervision du Secteur Financier (CSSF) or the Commissariat aux Assurances (CAA)) can impose administrative fines of up to EUR5 million or 10% of an organization’s annual total turnover on legal persons – that definition includes both the organization and its management.

Three key steps to get set before January 17, 2025

In addition to governance and operational resilience (i.e., appropriate internal policy, ICT resilience testing, management training, due diligence of third-party service providers), financial entities should consider the following steps before January 17, 2025:

• Determine whether they receive an "ICT service" as defined under DORA and whether such ICT service supports a critical or important function.
• Ensure that contracts covering critical and non-critical ICT services contain the mandatory clauses under DORA. While the RTS on subcontracting have yet to be adopted, we recommended not waiting for these to be published. Instead, agreements should be reviewed in line with the latest draft RTS. Authorities have insisted that financial entities should leverage the current drafts.
• Complete the registers of information (ROI) by April 2025, with a focus on the ROI for critical third-party service providers.

Action to take before DORA arrives

To ensure your organization is prepared for DORA coming into force, it is essential to take a structured and proactive approach. It’s time to take action.

• Assess ICT services: Determine whether your functions are supported by ICT services. Different contractual obligations will apply depending on whether the function supported by these services is critical or important. When making this determination, consider the definition under DORA as well as the applicable RTS and ITS.
• Comprehensively document decisions: You should thoroughly document and map all decisions, including the assessment of which functions are "critical or important." This documentation is crucial for demonstrating a comprehensive understanding of your business and the contractual relationships involved. It will be the basis for regulatory compliance and internal clarity.
• Thoroughly understand ICT services: Ensure you have a clear understanding of the ICT services you receive. Refer to the definition under DORA and the RTS on the ROI, which provides practical examples of ICT third-party service provider. If a third-party service provider refuses to comply with contractual obligations, be prepared to consider appropriate steps, including possibly a termination of the agreement with such provider.
• Implement and prepare addenda: Prepare standalone addenda suitable for ICT services supporting critical or important functions and those supporting non-critical or non-important functions. Consider developing a playbook for your employees to use when negotiating these addenda with third-party service providers. Include fallback clauses that, at a minimum, comply with DORA's minimum legal requirements.
• Offer addendum proactively: Be proactive, do not wait to receive an addendum from the third-party service provider; send your own addendum.
• Navigate ROI: Prepare your ROI by identifying critical and important functions and the third-party service provider supporting such function. Identify the appropriate rank of each service provider in the chain and ensure compliance. Do not wait until all agreements are finalized before addressing the ROI. The competent supervisory authority will collect the ROI to identify "critical third-party service providers" which are service providers subject to a specific oversight regime under DORA