Application of the Digital Operational Resilience Act (DORA): Key considerations

In Belgium, the implementation of DORA is progressing actively. In this regard, a Belgian bill was adopted on 30 January 2025, allocating supervisory powers between the Belgian financial regulators, namely the Financial Services and Markets Authority (FSMA) and the National Bank of Belgium (NBB), in accordance with their designation under the relevant sectoral regulations applicable to the financial sector.

Accordingly, the FSMA would generally be in charge of supervising compliance with DORA for investment firms, fund managers, (re)insurance intermediaries or crowdfunding service providers, while the NBB would assume the same function for credit institutions, insurance undertakings and payment institutions. This Belgian bill would further provide the FSMA and the NBB with investigative and supervisory powers, including the possibility to impose sanctions such as fines of up to 10% of the company’s turnover or EUR5 million or periodic penalty payments.

This Belgian bill would also transpose DORA Directive by introducing amendments to Belgian sectoral financial legislations to ensure proper alignment with the requirements set out by DORA Regulation, as the DORA Directive introduces a number of targeted adjustments to sectoral financial directives to ensure their seamless articulation with DORA.

Finally, on 17 January 2025, two royal decrees came into force, partially transposing the DORA Directive: The Royal Decree of 8 December 2023 incorporating operational resilience considerations into the development of resolution plans by credit institutions, and the Royal Decree of 25 May 2024 imposing operational resilience requirements on credit institutions and members or participants of regulated markets, in case of algorithmic trading activities.

The Croatian legislator is active in ensuring compliance with DORA, to that extent an act transposing DORA into Croatia’s national legislation has been published on 27 November 2024 and entered into force on 17 January 2025.

The Act on the implementation of Regulation (EU) 2202/2554 on digital operational resilience for the financial sector (the Act, Zakon o provedbi Uredbe (EU) 2022/2554 o digitalnoj operativnoj otpornosti za financijski sektor) allocated implementation power under DORA to the Croatian Financial Services Supervisory Agency (the Agency, Hrvatska agencija za nadzor financijskih usluga) and Croatian National Bank (Hrvatska narodna banka).

A decision taken by either entity on the basis of the Act and DORA can’t be subject to an appeal but may be the subject of an administrative dispute. The Act further exempts credit unions and the Croatian Bank for Reconstruction and Development from having to follow provisions under DORA.

The Agency and the Croatian National Bank shall supervise entities, impose supervisory measures and bring charges in case of infringements, which may not exceed 3% of the total annual income, according to the latest available financial statements of the entity that committed the infringement.

The Agency shall be in charge of supervising compliance with DORA for investment firms, crypto assets service providers, central securities depositories, regulated market operators, large investment fund management firms, insurance and reinsurance companies, insurance intermediaries and other related entities. While the Croatian National Bank shall supervise credit, payment and electric money institutions, account information service providers and issuers of asset-referenced tokens.

The above supervised entities are obliged to report significant ICT incidents to their respective supervisory authorities and to the Computer Security Incident Response Team (CRIST).

Additionally, the latest amendment of the Law on Credit Institutions, published on 6 December 2024 (Zakon o kreditnim institucijama) transposed into national legislation ICT related provisions, such as ICT risks and their management.

In France, the French Autorité de contrôle prudentiel et de résolution (the French Prudential Supervision and Resolution Authority or ACPR) has been very active since the enactment of DORA to ensure that French entities of the financial and insurance sectors are in a position to comply with the new requirements as from 17 January 2025. It has organised several conferences and discussions with entities from the financial and insurance sectors to answer their questions in relation to DORA, notably with respect to the reporting of major incidents and to the declarations of outsourced IT services. In addition, it has updated the appendix to the annual report on internal control (rapport annuel sur le contrôle interne) on ICT risks to account for DORA requirements.  

For the time being, the law transposing DORA (as need be) is yet to be adopted and enacted. During this transitional period, the ACPR has confirmed that third-country branches of investment firms, financing companies (sociétés de financement) and entities from the financial sector establishes in New Caledonia, French Polynesia, in the Wallis and Futuna Islands and in St-Pierre-et-Miquelon are not required to comply with requirements stemming from DORA. In addition, as the monetary agreement between the EU and the Monaco Principality has not been revised yet, financial entities established in Monaco are not in scope of DORA for the time being.

In Germany, the Act on the Digitisation of the Financial Market (Finanzmarktdigitalisierungsgesetz) was published end of 2024 and in the meantime has entered into force. Amongst others, this Act makes the necessary selected adjustments to several acts to integrate DORA in the German regulatory landscape. This relates in particular to changes of the Banking Act (KWG), the Capital Investment Act (KAGB), the Investment Services Act (WpHG) and the Payment Services Supervision Act (ZAG) and introduces the rules on competencies and supervisory powers of the competent authorities, ie BaFin and Bundesbank. For example, BaFin will act as national reporting hub for ICT incidents in the financial sector, accept notifications on ICT-third party management and analyse them with view to potential risks for the financial sector.

BaFin is continuously assisting supervised undertakings in their implementation efforts. BaFin maintains a dedicated part on its website with a compilation of the relevant information, including Level 1, Level 2 and Level 3 measures as well as national guidance, eg on the use of BaFin’s MVP-Portal for reporting, on the submission of DORA information registers, on plausibility checks in the DORA ICT incident reporting system or on the reporting requirement for information sharing agreements pursuant to Article 45 DORA.

In addition, BaFin has already started adjusting its administrative practice to DORA. Most importantly, BaFin repealed its Circulars on Supervisory IT Requirements for Capital Investments (KAIT), for Insurance (VAIT) and for Payment Services (ZAIT) on 16 January 2025. As regards the BaFin Circular on the Banking Supervisory IT Requirements (BAIT), BaFin repealed only parts of the BAIT on 16 January 2025 and adopted a step-by-step approach as regards the scope of application of these revised BAIT. For the time being, only CRR credit institutions that will have to put in place ICT risk management pursuant to Art. 5 – 15 or 16 of DORA are excluded from its scope of application. Other credit institutions, including third country branches, will continue to be in scope. BaFin also repealed its Circular on the Reporting of Major Payment Security Incidents under the ZAG.

On 11 February 2025, the European Union (Digital Operational Resilience) (No. 2) Regulations 2025 (S.I. 20/2025) were published (the Irish DORA Regulations), completing the national implementation of DORA into Irish law. While DORA does apply directly to financial entities in its own right, the Irish DORA Regulations establish an Irish legal framework that allows for regulatory supervision, oversight and enforcement to be undertaken at a local level. Key elements to the Irish DORA Regulation are  summarised below:

Central Bank of Ireland’s Supervisory Role

The Central Bank of Ireland (CBI) is now officially designated as the competent authority for overseeing threat-led penetration testing and representing Ireland on the DORA Oversight forum.

This means that the CBI will supervise all in-scope DORA financial entities, with the exception of institutions for occupational retirement provision, which fall under the Irish Pensions Authority’s jurisdiction.

Enforcement

To enforce compliance with DORA, the Central Bank Act 1942 has been amended. The CBI now has the authority to impose administrative sanctions for non-compliance.

Financial entities could face fines up to EUR10 million or 10% of their annual turnover, while individuals could be fined up to EUR1 million.

Senior Executive Accountability Regime (SEAR)

DORA has been classified as a ‘prescribed contravention’ under the Senior Executive Accountability Regime (SEAR). This classification mandates that senior executives take reasonable steps to ensure their institutions comply with DORA.

Failure to do so could result in regulatory investigations and administrative sanctions, highlighting the critical role of senior management in maintaining compliance.

The CBI’s approach to implementation of DORA is likely to be demanding. The CBI has publicly stated that it will expect that:

• incident identification and reporting will be in place and operational;
• firms will have identified gaps to compliance; and
• firms will remediate those gaps without delay.

The CBI will assess firms meeting the above objectives by considering the firm’s starting point, the quality of approach and the time taken to close gaps.

Both the regulator and sectorial Supervisory Authorities – primarily the Bank of Italy – are actively working to ensure that operators comply with DORA. Just days after the Regulation came into effect, the Italian legislator indeed released a draft legislative decree (not yet adopted or enacted) aimed at aligning the existing national legislation with DORA and addressing the remaining details necessary for its proper implementation.

The legislative proposal outlines, among other things, the competent national authorities –currently the Bank of Italy, Consob, IVASS, and COVIP, depending on the sector in which the supervised entities operate – while also establishing appropriate cooperation mechanisms. It also clarifies the obligations applicable to so called financial intermediaries under art. 106 of the Consolidated Law on Banking, which in Italy fall within the scope of DORA, albeit with possible simplifications and deferred application. Additionally, the proposal defines any applicable sanctions for non-compliance. A point that is worth mentioning concerns the list of the entities subject to the competent authorities’ supervisory powers. In this regard, the draft legislative decree also enlists ICT third-party service providers whose services support critical or important functions of financial entities (while DORA provides that competent authorities may exercise certain powers over critical ICT third-party service providers). As this appears to be a significant expansion the powers of competent authorities, it will be necessary to monitor it throughout the adoption process of draft legislative decree.

Further secondary legislation will need to be issued by the Supervisory Authorities to address sector-specific or more technical aspects, provided that the same Supervisory Authorities have already taken some steps to provide guidance. Namely, in December 2024, the Bank of Italy issued a set of communications clarifying, inter alia, how DORA should be uniformly applied and instructing intermediaries to understand their actual compliance with DORA, by also conducting a self-assessment of their ICT risk management framework, to be submitted to the Bank of Italy by 30 April 2025. Similarly, IVASS, in relation to the insurance sector, provided guidance in the final months of 2024 on supervisory expectations, including those related to the DORA framework.

Luxembourg already transposed the DORA Directive into Luxembourg law by having passed the law of 1 July 2024 on DORA that amended the following national laws relating to the financial sector with a view to implement DORA (DORA Law):

• The law of 5 April 1993 on the financial sector, as amended;
• The law of 13 July 2005 on institutions for occupational retirement provision in the form of sepcavs and asseps, as amended;
• The law of 10 November 2009 on payment services, as amended;
• The law of 17 December 2010 on undertakings for collective investment, as amended;
• The law of 12 July 2013 on alternative investment fund managers, as amended;
• The law of 7 December 2015 on the insurance sector, as amended;
• The law of 18 December 2015 on the insolvency of credit institutions and certain investment firms, as amended;
• The law of 30 May 2018 on markets in financial instruments, as amended;
• The law of 16 July 2019 on the operationalisation of European regulations in the field of financial services, as amended.

The DORA Law provides:

(a) the Supervision Commission of the Financial Sector (Commission de surveillance du Secteur Financier) (CSSF) and the Supervisory Authority for the Insurance Sector (Commissariat aux Assurances) (CAA), both as Luxembourg competent national authorities responsible for ensuring the application of DORA, with the supervisory and investigative powers necessary for the performance of their duties, and

(b) for an appropriate system of sanctions.

Furthermore, the aim of the DORA Law and the related amendments to the above listed national laws was to ensure that all of those laws are consistent with DORA with respect to the application of the operational digital resilience requirements which were included in the various specific laws of the financial sector.

CSSF

The CSSF published a communication on 15 January 2025 to remind financial entities subject to DORA to comply with the DORA requirements as from 17 January 2025 and to ensure to follow the new dedicated procedure for major ICT-related incident and significant cyber threats reporting, ie use of the correct notification form through the dedicated procedure “DORA Major ICT-related incident and significant cyber threat notification” on the CSSF eDesk Portal or via the API interface (S3) provided by  the CSSF.

The CSSF also reminded the financial entities that DORA and the related EU regulatory and implementing technical standards take precedence over any specific CSSF circulars which covered elements or requirements on ICT and security risk management, outsourcing and incident reporting framework without releasing them from any other topics not related to DORA under those circulars and that the CSSF is about to update those circulars accordingly.

The CSSF further communicated the email address to be used for prior notifications in case financial entities want to make use of any outsourcing of reporting obligations or significant cyber threat, stressing that currently no aggregated reporting by third party providers is permitted.

The CSSF further asked any financial entities subject to DORA to submit their information registers to the CSSF from 1 Apil 2025 to 15 April 2025 via the eDesk, while financial entities will be invited to correct any errors detected by the CSSF and re-submit their registers before 30 April 2025.

CAA

The CAA published a Circular letter 25/1 on 14 January 2025 (Circular) providing practical guidance on certain aspects of implementing DORA and in particular, its expectations as concerns the incident reporting pursuant to the templates annexed to said Circular to be submitted to the CAA email address created for this and specifying that the information registers need to be submitted to the CAA by 18 April 2025 at the latest via the SOFIiE/eFile channel using the new reporting template made available for this.

The Dutch act implementing DORA into Dutch legislation (as far as needed since DORA has direct applicability), came into effect on the same date as DORA itself: on 17 January 2025.

 In the Netherlands, the Dutch Authority Financial Markets (Autoriteit Financiële Markten, the AFM) and The Dutch Central Bank (De Nederlandsche Bank, DNB) have been actively preparing the financial and insurance sectors for compliance with DORA since 2023. Both regulators have engaged with market participants through various channels, including industry consultations and guidance publications and webinars, to address key aspects of DORA. Particular attention has been given to risk management, the reporting of major ICT-related incidents and testing of digital resilience.

Additionally, the AFM and DNB have emphasized the integration of DORA’s requirements into existing risk management and governance frameworks. For instance, DNB has updated its guidance on ICT risk management and third-party risk oversight, such as the outsourcing notifications, to align with DORA.

The AFM and DNB have indicated that firms should comply with DORA to the fullest extent possible (also with some final versions of the RTS still pending). They have announced that they will be conducting DORA themed investigations, either focused on DORA compliance within the sector or within a specific financial undertaking. It is furthermore expected that the regulators will soon request financial undertakings to submit the information registers (with reference date 31 March 2025) ultimately in April 2025 to align with the European processes. 

The implementation of DORA is currently still underway. The text of the proposed Regulation on the implementation of the (EU) regulation on digital operational resilience for the financial sector (Uredba o izvajanju uredbe (EU) o digitalni operativni odpornosti za finančni sektor) was published and submitted for inter-ministerial coordination by the Ministry of Finance in November 2024, however, the timeline for legislative activities is not yet known. The proposed act distributes supervisory responsibilities between the Bank of Slovenia (Banka Slovenije), the Slovenian Securities Market Agency (Agencija za trg vrednostnih papirjev, ATVP) and the Slovenian Insurance Supervision Agency (Agencija za zavarovalni nadzor) in line with the relevant sectoral regulations. Amongst others, the proposal outlines methods of supervision as well as measures of the supervisory authorities.

In addition to this, there are several Slovenian laws, which have already transposed certain provisions of DORA, eg the Payment Services, Services for Issuing Electronic Money and Payment Systems Act (Zakon o spremembah in dopolnitvah Zakona o plačilnih storitvah, storitvah izdajanja elektronskega denarja in plačilnih sistemih); and the Bank Recovery and Resolution Act (Zakon o reševanju in prisilnem prenehanju bank).

In relation to reporting, ATVP prepared a draft Functional Specification for reporting under DORA on 7 February 2025, which is available here.

In Spain, the financial authorities are actively working on the implementation of the Digital Operational Resilience Regulation (DORA) and have made significant progress in this regard. In December 2014, the Spanish Council of Ministers approved the draft law on the digitalisation and modernisation of the financial sector, which transposes Directive (EU) 2022/2556 on the digital operational resilience of the financial sector (DORA Directive). While the adoption of this draft law is an important step, the transposition process is still ongoing.

In this context, the financial authorities have taken further measures to ensure that entities within the scope of the regulation meet the implementation deadline of 17 January 2025. These actions are detailed below.

The Spanish Securities Market Commission (CNMV): In December 2024, the CNMV published a report on the results of a self-assessment exercise evaluating entities’ readiness for DORA. The report included key recommendations and regulatory aspects. This exercise had two main objectives: (i) to assess entities’ preparedness for DORA, and (ii) to encourage self-assessment to identify areas for improvement and plan implementation. 

The findings indicate that the self-assessment exercise helped raise awareness among entities about DORA’s requirements and provided insight into their level of compliance ahead of the Regulation's application. In general, entities demonstrated adequate governance, cybersecurity, and business continuity measures. However, shortcomings were identified in test management and the oversight of third-party ICT risks. 

In line with Article 19 of DORA, the CNMV has announced the implementation of a system for receiving notifications of major ICT-related incidents via its electronic office. While this system is being finalised, a temporary notification procedure is in place. 

Bank of Spain (BdE): In November 2024, the BdE issued a communication to supervised entities outlining their immediate obligations under DORA. In particular, the entities supervised by the BdE were required to: (i) adapt their ICT incident management processes by 17 January 2025; (ii) subscribe to the new electronic notification service for major incidents and significant cyber threats; and (ii) submit a comprehensive register of contractual agreements with ICT service providers by April 2025, detailing provider categories, agreement types, and services provided. 

Directorate General of Insurance and Pension Funds (DGSFP): As the supervisory authority for the insurance sector, the DGSFP has issued a resolution adopting the Joint Guidelines of the European Supervisory Authorities on supervisory cooperation and information exchange under DORA. It has also implemented mechanisms for: (i) the notification of major cyber incidents and significant cyber threats (Article 19 of DORA); and (ii) annual reporting by ICT service providers and contractual agreements (Article 28 of DORA). 

There has been an ongoing process to align Swedish legislation with DORA. The Swedish Government proposed a bill transposing amendments to align the Swedish legislation with DORA, which was adopted on 11 December 2024. The bill introduces a new act (the Act) providing national supplementary provisions for DORA and amendments to relevant domestic sectoral financial legislations to implement Directive (EU) 2022/2556.

The Swedish FSA (Sw. Finansinspektionen) (the SFSA) has been appointed as the competent authority responsible for supervising financial institutions’ compliance with DORA, in accordance with the current designation under the relevant sectoral regulations applicable to the financial sector. The Act provides the SFSA with investigative and supervisory powers, including the authority to impose sanctions on specific institutions under the Act or under relevant sectoral regulations.

The SFSA is under the Act appointed to decide which financial entities must conduct threat-led penetration testing, while the central bank of Sweden (Sw. Riksbanken) is responsible for the testing of the digital resilience of such entities.

The SFSA has issued regulations on the reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats, as well as the reporting contractual arrangements. The SFSA is actively engaged in this area, having held two seminars on the topic and published information about its work on DORA.

UK firms that perform in-scope activities in the EU, and with in-scope intragroup arrangements, need to ensure DORA compliance is implemented. Alignment and gap analysis is needed with existing UK requirements.

The UK’s transitional period for its operational resilience framework runs until 31 March 2025, from when firm strategy and process is expected to be in place and managed on an ongoing basis.

The Bank of England, Prudential Regulation Authority and Financial Conduct Authority have a policy development programme underway to promote operational resilience, including critical third parties and reporting requirements.