The Digital Operational Resilience Act (Regulation (EU) 2022/2554) (“DORA” or the "Regulation") entered into application on 17 January 2025. In the final months leading up to this significant milestone, there have been several noteworthy developments aimed at facilitating compliance with DORA, in particular during the initial period.
DORA mainly addresses three levels of the financial sector:
- the in-scope financial entities as defined under Article 2(1)(a) to (t) of DORA ("Financial Entities");
- the national competent authorities (the "Competent Authorities"), as defined under Article 46; and (3)
- European Supervisory Authorities (the "ESAs").
Additionally, the information and communication technology third-party service providers (the "ICT TPSPs"), will also be indirectly affected by DORA, as these must cooperate with the Financial Entities to ensure accurate reporting.
We have been following DORA developments in our previous newsletters since October 2023, and reported notable developments equally in July 2024 and October 2024.
Financial Entities and ICT third-party service providers – the struggle to comply
Financial Entities and, indirectly, the ICT TPSPs, face a notable pressure to comply within DORA's legislative ecosystem. The wealth of regulatory developments adjacent to the Regulation's main body has been reported in our previous newsletters. It became increasingly evident that in-scope entities face an uphill battle to adapt in time, given lack of a transition period, unclear definitions of key concepts and delays in adoption of all relevant guidelines.
It was only recently (on 29 November 2024) that the European Commission adopted the Implementing Regulation (EU) 2024/2956, providing Financial Entities access to the standard templates for maintaining registers, as developed by the ESAs in accordance with Article 28(9) of DORA. As of the date DORA entered into application, the regulatory technical standards concerning the subcontracting of ICT services supporting critical or important functions had still not been adopted by the Commission. The interested entities were however encouraged to consult the final draft of the ESAs joint report and to revise their agreements accordingly.
The ESAs and the Competent Authorities carried out a dry run exercise from April to August 2024 to simulate the reporting process and to help over 1,000 Financial Entities involved to identify points of improvement. Significant issues were identified, particularly regarding data quality, prompting individual feedback to be provided to competent authorities and participating Financial Entities to address sanctionable errors. A report published on 17 December highlighted the most frequently encountered issues, offering valuable insights into common oversights, such as missing mandatory information and difficulties with unique identifiers, along with recommendations on how to avoid them.
On 4 December 2024, the ESAs issued a statement on the application of DORA, particularly noting that the lack of a transitional period raises the need for Financial Entities to adopt a timely, robust, structured approach to meet their DORA obligations, and ICT TPSPs to assess their operational set-up against DORA requirements.
Such statements help preventing obligations from being overlooked or disregarded by those concerned, in a context where:
- certain Financial Entities have already been subject to piecemeal sectorial guidelines and regulations on ICT risk management, incident reporting and outsourcing for years; and
- ICT TPSPs do have direct positive obligations stemming from the regulation.
DORA is a far-reaching regulation, raising the bar on compliance standards thus requiring all in-scope entities to identify and address all compliance gaps. ICT TPSPs face market pressure from their client-Financial Entities to implement contractual amendments ensuring DORA compliance.
Indeed, the Competent Authorities and the ESAs also displayed efforts facilitating the transition into compliance by clarifying the wider implications of DORA, as well as the interplay with existing legislation.
For instance, on 15 November 2024, the European Insurance and Occupational Pensions Authority (EIOPA) issued an opinion highlighting a scope overlap between DORA and the Solvency II Directive. Due to increased size thresholds under Solvency II Temporary, DORA would apply to small insurance and reinsurance undertakings, considered disproportionate by EIOPA. As a result, on 19 December 2024, EIOPA announced the revocation of two sets of guidelines issued in the context of Solvency II on ICT security, governance, and outsourcing to cloud providers, and the amendment of an opinion on the supervision of operational risks faced by IORPs.
More information on the published guidance is available in our previous newsletters references above.
Last minute guidance from the CSSF
In Luxembourg, the CSSF and the Commissariat aux assurances (CAA) are the designated Competent Authorities. Competent Authorities are expected to collect from Financial Entities all reporting on ICT TPSP registers ahead of the submission deadline 30 April 2025.
The CSSF issued last minute guidance:
- on 5 December, a communication with reminders and advice on preparedness; and
- on 15 January 2025 (two days before the entry into application of DORA), a publication covering the list of circulars overruled by DORA, and a last-minute checklist of practicalities to be considered, and the obligations of Financial Entities intending to outsource the reporting obligation by to third parties.
All relevant information and applicable legislation relating to DORA for Luxembourg entities is available on the dedicated DORA page of the CSSF website.
Share on
