Cybercriminals are becoming increasingly sophisticated, and the number of cyberattacks continues to rise. This prompted Europe to adopt the Digital Operational Resilience Act (DORA) (REGULATION (EU) 2022/2554), aimed at making the entire financial sector more operationally resilient. At first, various guidelines exist for different types of financial firms, but there was a lack of a unified legal framework. DORA addresses this by harmonizing ICT rules across the sector and raising the overall standards. As of January 17, 2025, DORA became applicable. This was the deadline for financial institutions to have all required policies and procedures in place. Additionally, the register of information will soon be requested by the supervisors. Over the past year, we have assisted many financial entities in becoming DORA compliant. Below, we share some key points and tips we learned during these projects.
In our experience, not all financial entities are DORA-ready yet, so there is still work to be done.
The legislative package is quite extensive, and so are the obligations that financial institutions must comply with. In many cases, a key role in the project is reserved for internal employees. This makes it challenging to give the project sufficient priority in combination with regular activities, and thus to make sufficient progress. Adjusting documentation requires time and attention, and often many different documents are affected that need to be aligned.
Tip: Now that the deadline is here, make sure there is an overview of the current state of the implementation. If there are gaps left to be closed, it’s important to schedule these tasks for the coming period. Ensure there is still capacity left to finish the project and record the decisions that are taken.
Now that (almost) all policies and procedures are ready, make sure the new way of working is embedded within the organization. Maybe the DORA project team (or the few employees who worked on the implementation) know all about how to proceed, but don’t forget to take time to also inform the rest of the employees. For example, incidents must now be recorded and reported according to the new processes. So, make sure the business is aware, and ICT third-party providers are also prepared.
Within all financial institutions, many controls were defined during the ICT risk analysis and in policies and procedures. Now it’s time to start executing the risk and control framework, to execute the tests defined, and to start the monitoring tasks.
Tip: List all controls and create a monitoring program. Create a plan to execute all tasks and keep track of the progress.
From what we see in the market now, the register of information is the topic that demands the most attention from financial institutions. This is not surprising, as it is known that it will be requested by the supervisors in the short term.
The most recent template for the register, available on the EBA website, does not fully match the latest version of the associated ITS. The ITS has recently been updated, but the register has not yet been adapted accordingly.
The EBA has indicated that no new format will be provided in Excel. Consequently, we must wait for the request from the national supervisor and the format they require. Therefore, from our perspective, the best option is to use the current template and prepare to add the missing cells from the ITS at a later moment.
With DORA coming into effect on January 17, 2025, it’s crucial to maintain compliance:
Looking ahead: Compliance with DORA doesn’t end with the deadline. Stay vigilant for new requirements and ensure your organization is prepared for future updates or audits by regulators.
Do you want to stay up-to date on DORA, digital resilience and/or other developments in financial laws and regulations?
On May 21, the webinar “Challenges in Implementing DORA” took place. Projective Group consultants Gert Jan Thierry and Nienke Moek guided participants through the expectations of the regulator regarding DORA and the challenges in its implementation. They also provided practical tips to overcome these obstacles. Click here to read a summary of the webinar.
