Add a bookmark to get started

Microchip
18 November 20243 minute read

Countdown to DORA: our insights and resources on how to best prepare for the entry into force of DORA

The Digital Operational Resilience Act will apply from 17 January 2025, strengthening cybersecurity obligations across the financial sector. Financial entities and service providers alike are racing to update their contractual documentation. 

  • For financial entities, this is a direct obligation under the regulation, which significantly reinforces the current status quo as DORA covers a much broader range of ICT services. 
  • For service providers, an update of the documentation - and/or guidance of their clients on how they may be already compliant - has proven a necessity to maintain and further reinforce/strengthen their presence in the financial sector. 

Here are our latest analyses and resources to best comply with this regulation.

 

Practical tips for compliance. Part 1

Did you know that looking at articles 28 and 30 of the DORA and the RTS on contractual arrangements and subcontracting may not be sufficient to ensure compliance?

Here are a few examples of requirements that may be found in other RTS that could indirectly impact contracts without setting a mandatory requirement for contractual provisions:

  • RTS on Risk management Tools: Financial entities must request from ICT Service Providers to investigate the relevant vulnerabilities, determine root causes and implement appropriate mitigating actions.
  • RTS on Risk management Tools: Where appropriate, financial entities are expected to collaborate with the ICT Service Providers in the monitoring of the version and possible updates of third-party libraries.
  • RTS on Register of Information: Given that the register of information must be kept up to date, ICT Service Provider may be requested to provide information throughout the duration of the contract.
  • RTS on content of the notification and reports for major incidents and significant cyber threats: To ensure that they comply with notification obligations, financial entities are likely to further specify the collaboration requirements mentioned in article 30 to require more specific deadlines and information from ICT service providers with regards to incident management.

 

Regulatory landscape

DORA is accompanied by implementation texts interpreting many of its provisions. The three European Supervisory Authorities (ESAs) - the European Insurance and Occupational Pensions Authority,  the European Banking Authority and the European Securities and Markets Authority - are mandated jointly to develop certain technical standards and guidelines relating to ICT risk management, monitoring of ICT third-party risk, testing, and incident reporting. The ESAs were required to develop 12 policy instruments, to be delivered to the European Commission in two batches: the first batch by 17 January 2024 and the second batch by 17 July 2024.

We have centralized the state of adoption of these documents in the table below (last update 14 November 2024):

 

Print