.svg)
Vixio speaks to experts as the EU’s Digital Operational Resilience Act (DORA) becomes a fully actionable compliance requirement for financial institutions and their ICT providers operating in the trading bloc.
DORA has entered into force after years of preparation, affecting payments and e-money firms, banks, big tech, investment firms and crypto-asset service providers.
The regulation aims to enhance resilience in the EU financial sector by raising standards for risk management and ICT operations, and harmonises rules across the bloc, covering 20 types of financial entities under its supervisory scope.
“A date that has been circled in the calendars of EU financial institutions for two years, today marks the official arrival of the DORA,” said Fadl Mantash, chief information security officer at Tribe Payments.
Mantash continued that “whether firms are making final adjustments or racing to address outstanding gaps, the focus must now be on ensuring their compliance strategies are robust enough to withstand future challenges”.
Now that the regulation is here, Michael Huertas, a partner at PwC Legal, told Vixio that there “may be a bit of a sigh of relief for those who are fully prepared by the deadline”.
“However, not everyone will have met the deadline seamlessly, and some have fallen short of the level of enthusiasm and compliance that supervisory authorities would have hoped for,” he said.
“These firms will need to reflect and consider how to improve moving forward. The European Commission is already considering related issues, such as operational resilience in the healthcare sector, highlighting that this topic will remain relevant."
Paces of preparation
Pascal Leitmann, an associate at Bird & Bird, said that firms have been very busy preparing and setting up internal risk management frameworks, particularly for the use of their IT services. “These entities have been taking stock of these services, assessing risks, and implementing comprehensive policies to address them. In the provision of these IT services, third-party service providers play a crucial role, and in the preparation for DORA firms have sought to amend existing contracts.”
For example, consider the settlement of payments through a payment service provider — numerous IT service providers are involved, and the payment service provider maintains contracts with many of them. “While some firms are well-prepared, others are less so, particularly in ensuring business continuity management,” he said.
“All IT risks and security requirements need to be assessed and contractually agreed upon. Over the past year, this has been an ongoing effort for firms, requiring them to reach out and amend existing terms."
His colleague, Johannes Wirtz, agreed that updating contract agreements has been an obvious task.
“But there were questions back in November about the timing, as the technical standards were not ready at that point,” he said.
The Bird & Bird partner told Vixio that “while some firms took a proactive approach, working with draft rules, others held back, waiting for the final regulations to be passed before taking any action”.
“This created two paces of preparation,” he said. “From this perspective, the challenges are evident, and some entities aim to stay ahead, while others are delaying until the last minute. It’s quite a challenging situation to navigate."
Register of information
The upcoming focus will likely be on the DORA register of information.
Outlined in Recital 7, the register tracks dependencies and risks from ICT third-party providers, providing data to supervisory authorities.
It covers all ICT services, with critical functions requiring detailed listing, and the European supervisory authorities (ESAs) plan to collect these registers from competent authorities by April 30, 2025.
According to Huertas, the register of information is “an easy starting point for regulators, and they will be systematically reviewing it”.
He elaborated that “so far, this process seems to be going relatively smoothly, and for regulated firms, compliance with this requirement is somewhat straightforward”.
“The dry run went well, with a positive tone, and the next deadline of April 30 still feels manageable,” he said.
“Firms should be able to meet this requirement, provided they avoid overcomplicating matters with contractual clauses and maintain a good working relationship with those listed in the register.”
Huertas continued by saying that document management and related infrastructure are key, so firms that do not yet have these things in place should act quickly.
“For those prepared, meeting the deadline should be easy. For those unprepared, it could pose significant challenges."
"The register of information, along with the various deadlines for submission, is likely to be significant in the coming months,” suggested Wirtz.
“National regulators require this information by April, and from early March to mid-April, they will be actively requesting it. This period will provide an initial opportunity for regulators to assess whether institutions are compliant.”
According to Wirtz: “If any information is missing or incomplete, it may prompt a closer examination."
Leitmann agreed, pointing out that “significant preparation is underway regarding the register deadline, as compliance will require considerable effort”.
Subcontracting
An area that has added further complexity to preparing for compliance is the secondary legislation, issued by the ESAs in the shape of the Regulatory Technical Standards (RTS).
The RTS can complicate compliance with EU financial regulations due to delays, complexity and operational challenges.
They have to be drafted by authorities such as the European Banking Authority (EBA), and must be approved by the European Commission.
This process, which includes consultations and revisions, can take months or even years.
During this time, firms can face uncertainty about the specific requirements they need to meet, as regulations referencing RTS may come into effect before the standards are finalised.
Once RTS are adopted, firms often face tight deadlines for compliance, requiring them to rapidly update systems, reporting frameworks and operational processes.
In this respect, DORA is no different, and firms have faced uncertainty preparing for the final sign off in the run up to compliance with the ICT framework.
According to Leitmann, determining the RTS on subcontracting “have been particularly interesting”.
“In an environment where services are provided by numerous providers, subcontracting forms an important piece of the puzzle,” he said. “However, the requirements surrounding subcontracting have been heavily debated, with regulatory authorities having at times controversial notions of what is feasible to require from subcontractors.”
The Frankfurt-based lawyer described this as problematic, especially when dealing with subcontractors outside the European Economic Area, who often lack a clear understanding of how DORA will affect them.
“It has been a journey of fostering understanding, ensuring that subcontractors recognise the need to comply with certain requirements,” he said. “Failure to do so could lead to regulatory authorities terminating agreements, effectively excluding them from the European financial market."
Going forward
Now that DORA is a fully enforceable legal framework for the EU’s financial market to abide by, the ESAs and their national counterparts could technically begin taking action against firms that they feel are not complying with the requirements.
However, a grace period is likely as firms make DORA part of their business as usual.
"Immediate enforcement is unlikely right out of the gate. Instead, it’s more a case of regulators asking, 'Show me where you are.' There will effectively be a bit of a grace period to allow organisations to fully address any compliance gaps,” said Huertas.
He suggested that if a firm is 5-10 percent off the mark, that might be acceptable for now, but being 20-30 percent off will require serious preparation and effort to close the gap.
“The real issue lies with those who haven’t engaged with these requirements at all, whether due to ignorance or the hope that it won’t apply to them. Such entities risk being unable to participate in the EU financial services market.”
DORA comes into force at a pivotal time for the EU. Its politics has shifted since it was agreed, with a new college of commissioners and new members of the European Parliament in place in Brussels.
However, the EU’s political institutions are unlikely to take a light touch approach to components of DORA such as its oversight of ICT entities in the big tech industry.
Like the General Data Protection Regulation (GDPR) and the Digital Markets Act (DMA), DORA is a legal tool that can be used to effectively take on the now-critical role of ICT providers, many of which are headquartered outside the EU.
For example, GDPR enforcement has often targeted US technology giants, leading to multimillion fines being imposed upon US tech giants such as Meta, as well as strained relations due to the impact of court cases such as Schrems II.
Similarly, the DMA imposes obligations that heavily affect US firms designated as "gatekeepers".
It would not be surprising if DORA followed a similar trajectory, especially if enforcement focuses on US ICT providers due to their dominance in cloud services and infrastructure.
This could lead to perceptions of bias, even if enforcement actions are justified due to a lack of compliance.
"There doesn’t seem to be much appetite, particularly in the political and geopolitical spheres, for cutting big tech firms any slack,” said Huertas.
“The dialogue has been marked by heated statements exchanged across the Atlantic. Ultimately, it comes down to the question of how much compliance will be expected and enforced."
