DORA: current state of affairs

 February 5, 2024 | Blog

In our previous three blogs about the Digital Operational Resilience Act (DORA), we have introduced DORA, explored its past and future and discussed the readiness of market participants for its application in 2025.

In this blog we will update you on the most recent developments and the current state of affairs.

Calls on financial entities to prepare for DORA

Over the past year, the Dutch Authority on Financial Markets (‘AFM’, Autoriteit Financiële Markten) and the Dutch Central Bank (‘DNB’, De Nederlandsche Bank) have called financial entities (such as credit institutions, pension funds, investment fund managers and insurance undertakings, etc.) to action to prepare for DORA as soon as possible. Financial entities were encouraged to start implementing the regulation while awaiting the details of further rules and guidance to unfold.

Additionally, DNB has updated its good practice on information security to fully meet the standards of DORA. The good practice on information security intends to provide financial entities with guidance to help them comply with the applicable laws and regulations to ensure availability, integrity, confidentiality, and authenticity of (automated) data processing.

According to DNB, financial entities can already perform the following actions to be ready for DORA:

  • ensure full compliance with the current legal framework (e.g. their updated Q&A and Good practice on information security as well as existing guidance of the European Supervisory Authorities (EBA, EIOPA and ESMA, together the ‘ESAs’);
  • directors and internal supervisiors need to bring their knowledge and understanding of IT risk management up to standard and ensure to maintain a strong understanding;
  • evaluate the knowledge level of the organisation as well as IT-related policies, procedures and governance;
  • conduct a gap analysis based on DORA and the financial entity’s current state, and
  • liase with third-party service providers about the implementation of DORA and receiving adequate assurance.

Furthermore, DNB has highlighted concerns about cyber and concentration risks in the financial sector after an analysis on the use of third parties by the ESAs and national supervisory authorities. The analysis resulted in the following conclusions:

  • financial entities increasingly outsource critical services and processes to third parties not subject to financial supervision;
  • a small group of IT service providers is essential for the financial sector, and
  • there is a high degree of interconnectedness and interdependence among IT service providers.

Finally, the AFM releases a DORA update (in Dutch only) every quarter – there will be six updates in total – aimed at aiding financial entities in preparing for DORA. As of now, two DORA updates have been issued: one focused on being well-prepared for DORA, and another addressing the management of ICT risks associated with third-party service providers. Future updates will delve into topics such as ICT risk management and incidents related to ICT.

Further clarifications on DORA requirement DORA through technical standards

Meanwhile the ESAs are in the process of developing and consulting technical standards to further specify and provide detailed guidance on the requirements deriving from DORA. DORA has mandated the ESAs to develop thirteen policy instruments in two batches. The first batch was presented for consultation in the summer of 2023 and the final draft versions were recently published and submitted to the European Commission for approval in the coming months.

The finalised drafts from the initial batch of technical standards cover:

  • the criteria for the classification of IT-related incidents;
  • the establishment of templates for the register of information;
  • the specification of the policy on IT services performed by third parties, and
  • the (simplified) IT risk management framework.
What is next?

On 17 January 2024, the ESAs submitted the first batch of technical standards to the European Commission for adoption. In our upcoming blog posts over the next few weeks, we will elaborate on the proposed technical standards and explore their implications for financial entities.

Simultaneously, the second batch of technical standards and guidelines entered the consultation phase in December 2023. The ESAs anticipate submitting these technical standards to the European Commission and releasing the final draft standards by 17 July 2024.

In our previous three blogs about the Digital Operational Resilience Act (DORA), we have introduced DORA, explored its past and future and discussed the readiness of market participants for its application in 2025.

In this blog we will update you on the most recent developments and the current state of affairs.

Calls on financial entities to prepare for DORA

Over the past year, the Dutch Authority on Financial Markets (‘AFM’, Autoriteit Financiële Markten) and the Dutch Central Bank (‘DNB’, De Nederlandsche Bank) have called financial entities (such as credit institutions, pension funds, investment fund managers and insurance undertakings, etc.) to action to prepare for DORA as soon as possible. Financial entities were encouraged to start implementing the regulation while awaiting the details of further rules and guidance to unfold.

Additionally, DNB has updated its good practice on information security to fully meet the standards of DORA. The good practice on information security intends to provide financial entities with guidance to help them comply with the applicable laws and regulations to ensure availability, integrity, confidentiality, and authenticity of (automated) data processing.

According to DNB, financial entities can already perform the following actions to be ready for DORA:

  • ensure full compliance with the current legal framework (e.g. their updated Q&A and Good practice on information security as well as existing guidance of the European Supervisory Authorities (EBA, EIOPA and ESMA, together the ‘ESAs’);
  • directors and internal supervisiors need to bring their knowledge and understanding of IT risk management up to standard and ensure to maintain a strong understanding;
  • evaluate the knowledge level of the organisation as well as IT-related policies, procedures and governance;
  • conduct a gap analysis based on DORA and the financial entity’s current state, and
  • liase with third-party service providers about the implementation of DORA and receiving adequate assurance.

Furthermore, DNB has highlighted concerns about cyber and concentration risks in the financial sector after an analysis on the use of third parties by the ESAs and national supervisory authorities. The analysis resulted in the following conclusions:

  • financial entities increasingly outsource critical services and processes to third parties not subject to financial supervision;
  • a small group of IT service providers is essential for the financial sector, and
  • there is a high degree of interconnectedness and interdependence among IT service providers.

Finally, the AFM releases a DORA update (in Dutch only) every quarter – there will be six updates in total – aimed at aiding financial entities in preparing for DORA. As of now, two DORA updates have been issued: one focused on being well-prepared for DORA, and another addressing the management of ICT risks associated with third-party service providers. Future updates will delve into topics such as ICT risk management and incidents related to ICT.

Further clarifications on DORA requirement DORA through technical standards

Meanwhile the ESAs are in the process of developing and consulting technical standards to further specify and provide detailed guidance on the requirements deriving from DORA. DORA has mandated the ESAs to develop thirteen policy instruments in two batches. The first batch was presented for consultation in the summer of 2023 and the final draft versions were recently published and submitted to the European Commission for approval in the coming months.

The finalised drafts from the initial batch of technical standards cover:

  • the criteria for the classification of IT-related incidents;
  • the establishment of templates for the register of information;
  • the specification of the policy on IT services performed by third parties, and
  • the (simplified) IT risk management framework.
What is next?

On 17 January 2024, the ESAs submitted the first batch of technical standards to the European Commission for adoption. In our upcoming blog posts over the next few weeks, we will elaborate on the proposed technical standards and explore their implications for financial entities.

Simultaneously, the second batch of technical standards and guidelines entered the consultation phase in December 2023. The ESAs anticipate submitting these technical standards to the European Commission and releasing the final draft standards by 17 July 2024.

Sign up for our newsletters
Related expertise