ARTICLE
12 February 2025

Digital Operational Resilience: A Compliance Priority For 2025

SJ
Steptoe LLP

Contributor

Steptoe LLP logo
In more than 100 years of practice, Steptoe has earned an international reputation for vigorous representation of clients before governmental agencies, successful advocacy in litigation and arbitration, and creative and practical advice in structuring business transactions. Steptoe has more than 500 lawyers and professional staff across the US, Europe and Asia.
Explore Firm Details
Two years after its adoption in December 2022, the Digital Operational Resilience Act (DORA) applies in full from January 17, 2025.
United States Compliance
Guy Soussan,Algirdas Semeta,Bustos Mesa
+1 Authors

Two years after its adoption in December 2022, the Digital Operational Resilience Act (DORA) applies in full from January 17, 2025.

DORA does not provide any transition period. In principle, financial entities should have used the two years from DORA's adoption to prepare for day-one compliance and should be able to meet all DORA requirements from January 17. That is the case even though several important "Level 2" measures (which detail the high-level provisions of DORA) are still pending.

This alert briefly reminds the key financial entities' obligations under DORA, updates on the status of the DORA Level 2 measures and discusses the main DORA-driven compliance actions for 2025.

DORA Framework: A Refresher

By now, financial entities should be well aware of the DORA rules on the security of network and information systems and the management of information and communication technology (ICT) risks.

As a brief reminder, DORA applies to a wide range of financial entities, including insurers, insurance intermediaries, crypto-asset service providers, etc. Microenterprises are exempt from a large part of the DORA requirements and certain categories of financial entities are subject to a simplified ICT risk management framework.

DORA requirements for financial entities broadly cover the following areas:

  • ICT risk management framework;
  • Management, classification and reporting of ICT-related incidents;
  • Digital operational resilience testing; and
  • Management of ICT third-party risk, including requirements for contractual arrangements.

ICT risk management framework

DORA requires financial entities to establish a sound, comprehensive and well-documented ICT risk management framework with the necessary strategies, policies, procedures, protocols, and tools to support their operations and enable quick and efficient ICT risk response.

ICT risk management framework should include a digital operational resilience strategy that establishes risk tolerance levels and information security objectives, while detailing the strategies to detect and protect from ICT-related incidents.

Financial entities are required to consistently maintain ICT systems that are appropriate, reliable, and technologically resilient. These systems should be capable of handling information processing needs during times of market stress or other adverse circumstances.

ICT risk management framework must also contain a comprehensive ICT business continuity policy that allows businesses to achieve specific objectives set out in DORA. These include ensuring the continuity of critical/important functions, as well as responding to and resolving ICT-related incidents in a way that limits damage.

Financial entities must properly document their ICT risk management framework and review it annually. Updates should also be made in response to major ICT-related incidents or supervisory instructions.

ICT-related incident management, classification and reporting

DORA establishes uniform requirements for ICT-related incident management, classification, and reporting by financial entities.

Financial entities must put in place and implement measures to detect, manage, record and notify ICT-related incidents. They must classify ICT-related incidents and determine their impact using various criteria, including number of affected clients and counterparts, duration, geographical spread, and data losses.

Financial entities must also assess cyber threats and classify them as significant based on multiple criteria, including service criticality, client/counterpart impact, and geographical spread.

DORA further requires the reporting of major ICT-related incidents to supervisors and provides for the notification of significant cyber threats on a voluntary basis. Reports and notifications will need to be submitted using standard templates.

Digital operational resilience testing

As an integral part of the ICT risk management framework, financial entities must establish, maintain, and review a sound and comprehensive digital operational resilience testing programme. The programme should be designed to assess readiness for dealing with ICT-related incidents, identify weaknesses, and implement any corrective measures.

Financial entities identified by national supervisors will also have to conduct advanced testing of ICT tools, systems, and processes by means of threat-led penetration testing (TLPT).

Managing ICT third-party risk

Financial entities can maintain their outsourcing arrangements for the use of ICT services necessary for their business operations. However, DORA sets out rules on managing the risks arising from outsourcing arrangements with ICT third-party service providers (ICT TPPs).

As part of their ICT risk management framework, financial entities are required to adopt and regularly review a comprehensive strategy for managing ICT third-party risk. The strategy should include a policy regarding the use of ICT services for critical/important functions provided by TPPs. DORA also sets out specific requirements for entering into contractual arrangements with ICT TPPs, their termination, and exit strategies for ICT services supporting critical/important functions.

Financial entities must have written service level agreements with ICT TPPs which at least cover the elements specifically listed in DORA, including the possibility of ICT TPPs subcontracting ICT services which support financial entities' critical/important functions or material parts thereof.

Financial entities are further required to keep a register of information regarding their contractual agreements with ICT TPPs. The registers must be available at the entity, sub-consolidated, and consolidated levels, and distinguish between arrangements for ICT services supporting critical/important functions and those for other ICT services. DORA imposes reporting obligations regarding contractual arrangements, including a requirement to provide the full register of information, upon supervisor's request.

Status of Level 2 Measures

DORA sets out the principles and core provisions on the security of network and information systems and the management of ICT risks. The provisions of DORA are further detailed in numerous Level 2 (delegated acts/regulatory technical standards (RTS)/implementing technical standards (ITS)) and Level 3 (guidelines) measures.

A large part of delegated acts, RTS and ITS were published in the EU Official Journal and entered into force in 2024. The finalised Level 2 texts cover a number of key areas of DORA, including:

  • ICT risk management framework and simplified ICT risk management framework;
  • Criteria for the classification of ICT-related incidents and cyber threats;
  • The policy on the use of ICT services supporting critical/important functions provided by ICT TPPs;
  • Standard templates for the register of information regarding contractual arrangements on the use of ICT services provided by ICT TPPs; and
  • Criteria for the designation of ICT TPPs as critical for financial entities.

Three further RTS/ITS have completed the adoption procedure and should be published in the EU Official Journal shortly. They cover the following matters:

  • The content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats;
  • Standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat;
  • Harmonised conditions enabling the conduct of the oversight activities over critical ICT TPPs.

Meantime, two further Level 2 texts on significant DORA topics are yet to be adopted, in particular:

  • At the end of January, the European Commission informed the European Supervisory Authorities (ESAs) that the Commission rejects the draft RTS on subcontracting ICT services supporting critical/important functions.
  • The Commission is yet to adopt the draft RTS on TLPT. The pending RTS should specify the criteria for identifying financial entities required to perform TLPT, the requirements and standards governing the use of internal testers, the requirements in relation to scope, testing methodology and approach for each phase of the testing, results, closure, and remediation stages, etc.

DORA-Driven Compliance Actions

As noted above, in-scope financial entities must generally meet their obligations under DORA from day one of DORA's application. However, several recent surveys conducted by national supervisors suggest that financial entities may still need to make (significant) additional efforts to fully comply with all DORA requirements.

An immediate DORA compliance priority for 2025 should be preparing for the new reporting obligations. In particular, financial entities need to have their registers of information regarding the contractual agreements with ICT TPPs ready and available for national supervisors in early Q1 2025. National supervisors have to collect this information from financial entities under their supervision and report it to the ESAs by April 30, 2025.

Collating the above registers of contractual agreements with ICT TPPs might not be a particularly burdensome exercise for financial entities which are already subject to extensive sectoral requirements on outsourcing (for example, reinsurers). However, it may require much more significant efforts by financial entities in sectors where the current regulatory framework does not impose detailed rules on outsourcing.

The ESAs have also emphasised that financial entities need to be ready to classify and report the major ICT-related incidents from the date of DORA's application. All DORA rules on classifying ICT-related incidents are available for financial entities. Meantime, although the Level 2 texts on the reporting of major ICT-related incidents, including the standard forms and templates, have not yet been published in the EU Official Journal, financial entities can rely on the texts of the RTS and ITS, as adopted by the European Commission (these texts can be found on the EU Register of delegated and implementing acts).

In addition to the above immediate reporting obligations, financial entities should focus their DORA-related compliance efforts on at least the following key matters covered by DORA:

  • Ensuring that their comprehensive ICT business continuity policy and ICT business continuity plans meet the objectives set out in DORA;
  • Establishing a sound and comprehensive digital operational resilience testing programme. Financial entities still face uncertainty in this area pending the adoption of the Level 2 rules on TLPT by the Commission;
  • Ensuring that their strategy on ICT third-party risk meets DORA requirements; and
  • Continuing to negotiate DORA-compliant contractual arrangements with ICT TPPs to ensure that such arrangements include the minimum contractual provisions set out in DORA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Guy Soussan
Guy Soussan
Photo of Algirdas Semeta
Algirdas Semeta
Person photo placeholder
Maria Salome
Person photo placeholder
Bustos Mesa
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More