Who’s (not) ready for DORA?

Over the last few years, the EU has been very active in updating its overall security framework.

Over the last few years, the EU has been very active in updating its overall security framework. First, the NIS2 Directive aims to strengthen the cybersecurity posture of a whole range of important and essential entities across different sectors. Second, the Critical Entities Directive aims to boost the overall resilience of critical entities, the list of which overlaps largely with the NIS2 Directive. Third, the Digital Operational Resilience Act (DORA) focuses on the digital operational resilience of the financial sector. Last, the recently approved Cyber Resilience Act will impose specific cybersecurity requirements on products with digital elements.

In this blogpost, we will focus on DORA, which will become applicable from 17 January 2025.

Why DORA?

DORA is largely a cybersecurity framework. Why did we need another one if the NIS2 Directive was just adopted? While NIS2 will indeed become the core EU cybersecurity framework, its article 4 does allow for sector-specific acts to be adopted. Where such is the case, the sector-specific act takes precedence over NIS2 – thus becoming a lex specialis to NIS2’s lex generalis. Sector-specific acts can be better suited to take full account of the specificities and complexities of the sectors concerned.

Article 1(2) DORA identifies DORA as such sector-specific act. Financial entities identified as essential or important entities under the NIS2 framework will therefore primarily have to comply with DORA instead of NIS2.

DORA addresses a number of regulated entities in the financial sector. Concretely, it applies to the following entities:

  • credit institutions;
  • payment institutions, including exempted payment institutions;
  • account information service providers;
  • electronic money institutions, including exempted electronic money institutions;
  • investment firms;
  • crypto-asset service providers under MiCAR;
  • central securities depositories;
  • central counterparties;
  • trading venues;
  • trade repositories;
  • managers of alternative investment funds;
  • management companies;
  • data reporting service providers;
  • insurance and reinsurance undertakings;
  • insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
  • institutions for occupational retirement provision;
  • credit rating agencies;
  • administrators of critical benchmarks;
  • crowdfunding service providers;
  • securitisation repositories.

This addresses a very large portion of the regulated financial services market. However, there are still a few entities that are not covered at the moment. Moreover, DORA also foresees in a few exemptions and deviations for microenterprises and SMEs.

How to prepare for DORA?

DORA focuses on the operational integrity and reliability of financial services, by ensuring that adequate ICT-related capabilities are in place to address the security of the network and information systems used by financial service providers. To attain this, regulated financial entities will need to address a few points:

  • ICT risk management: A comprehensive set of key policies and principles must be in place to manage ICT-related risks. This should be approached from all angles, including ICT-risks, human resources, access control, anomaly detection, ICT-resources mapping, change control, business continuity and disaster recovery, with documentation and regular follow-up.
  • ICT incident management, classification and reporting: All ICT-related incidents and major threats will need to be classified. Adequate procedures must be in place to monitor, handle and resolve incidents. Impacts of incidents will need to be assessed and root causes will need to be analyzed and mitigated. Streamlined reporting to the competent authorities must be in place, as well as communication to the public in certain cases.
  • Digital operational resilience testing: Regular testing will need to be performed on ICT systems, with some more critical entities subject to regular threat-led penetration testing (TLPT).
  • Cyber-threat information sharing: DORA provides a framework for the voluntary sharing of cyber-threat information between regulated financial entities, in line with the TIBER-EU framework.

Don’t forget about the ICT third-party service providers!

Even if you are not a regulated financial entity, DORA may still be applicable to you indirectly. A service provider that provides ICT services to financial entities subject to DORA will be considered as an ICT third-party service provider. This has a number of implications.

First, financial entities will need to adopt an ICT outsourcing policy, in which they describe the type of services they are willing to outsource, their risk assessment, their criteria for selecting a service provider, an exit policy, etc. Moreover, they will need to carefully assess their concentration risk, which arises if they become too dependent on a single or a limited number of service providers.

Second, contracts with ICT third-party service providers must comply with a number of requirements. Article 30 DORA lists a number of general requirements that apply to all cases of ICT outsourcing, but also includes a number of more specific requirements that only apply when outsourcing critical or important functions.

The result of this is that every contract a financial entity has with an ICT third-party service provider will need to be revised in order to comply with these requirements. This can be a complex exercise that requires a careful balancing of the parties’ rights and interests with the requirements of DORA.

Last, some ICT third-party service providers may be considered as critical ICT third-party service providers. This is the case if they are so important for the financial sector that an operational failure on their end could have a systemic impact on the stability, continuity or quality of the provision of financial services. These entities will be designated and supervised by the European Supervisory Authorities.

Is everyone ready yet?

The Belgian regulator FSMA has been conducting surveys on the preparedness of the financial sector for DORA. The first wave revealed that quite a few entities – particularly in the insurance sector – were either not aware of their obligations under DORA, or not adequately prepared for DORA yet.

Most financial entities were found to already have an ICT risk assessment and management framework in place, which would put them in a better position to prepare for DORA. High awareness and preparedness were also noted in terms of business continuity management. Incident response and testing, however, were points that still required major improvements by a large number of respondents. Also ICT third-party service provider risks were still significantly unmanaged.

A similar survey by the Luxembourgish regulator CSSF showed a more positive result, with a much higher perceived readiness – although also here ICT third-party risk management remained the biggest obstacle. This survey was conducted a few months later than the first FSMA survey, so this may also indicate that entities have been using 2024 wisely for their preparation.

Nevertheless, these results show that there is still work to be done, particularly in getting those contractual frameworks with ICT third-party service providers updated.

Author: Niels Vandezande, Timelex

More Partner Blogs


21 janvier 2025

Simplified reimbursement of home-charging costs based on CREG tariffs confirmed for 2025

With the rise of hybrid and electric vehicles, reimbursing home charging electricity costs has...

Lire la suite...

21 janvier 2025

24 hours, 72 hours, 1 month: the reporting of cyber incidents under NIS2

This blog post discusses the updated cyber incident reporting obligations introduced by the NIS2...

Lire la suite...

20 janvier 2025

Looking ahead 2025: European Union employment law

European Union employment law

Lire la suite...

17 janvier 2025

The European Union tackles greenwashing and planned obsolescence

The European Union has reaffirmed its commitment to promoting more responsible and sustainable...

Lire la suite...

13 janvier 2025

La conformité est devenu encore plus importante depuis le 1er janvier 2025, afin de limiter les risques de responsabilité pour l'entreprise et ses dirigeants.

La conformité (aussi appelée « compliance ») signifie littéralement « respect » ou « accomplissement ».

Lire la suite...