As the date of application for the Digital Operation Resilience Act (DORA) is fast approaching, it is crucial that financial entities make sure they are prepared to be in compliance with its requirements as of 17 January 2025. With this in mind, on 5 December, the European Supervisory Authorities (ESAs) issued a joint statement outlining the expectations for financial entities under DORA.
The ESAs underscored the importance of financial entities (preparing for the upcoming deadline of early 2025) to submit their registers of contractual arrangements with ICT third-party providers, to the competent authorities as the latter will have to report these to the ESAs by 30 April 2025.
Key points to remember
- No transition period: the ESAs emphasise the importance of financial entities adopting a robust, structured approach in order to meet their obligations in a timely manner as DORA does not provide for a transition period.
- Deadline for reporting: financial entities must ensure that their registers of contractual arrangements with ICT third-party providers are ready for submission to competent authorities early 2025. These registers will need to be reported to the ESAs by 30 April 2025.
- Proactive preparation: as the ESAs strongly encourage financial entities to begin preparing their registers as soon as possible, the CSSF has also advised financial entities to plan accordingly for information that may not be immediately available, such as relevant identifiers (e.g. LEI or EUID) for ICT third-party providers.
- Lessons from the dry-run exercise: financial entities are advised to leverage the lessons learned from the ESAs’ dry-run exercise in 2024 and refer to the Implementing Technical Standards (ITS) on the Register of Information, which were adopted by the EU Commission on 29 November 2024.
- Incident reporting: it is important that financial entities are equipped to classify and report their major ICT-related incidents from the date of application.
For any further information, financial entities are encouraged to consult the Final Report and the ITS on the Register of Information to ensure that they are fully prepared for the early 2025 submission.
