DORA deadline day arrives: Here are five things firms still need to do

Even as the EU’s Digital Operational Resilience Act comes into effect, more work remains to be done.  

After a two-year implementation period, DORA applies as of 17 January 2025. This is a significant milestone for the wide range of EU financial firms in its scope, including banks, insurers, asset managers, fintechs and market infrastructure. It is too early, however, to call an end to DORA implementation.

Here are five things that firms still need to think about doing after DORA deadline day:

1. Continue contract talks

Many firms are working to close out DORA-compliant changes to their contracts with ICT third party service providers. In some cases engagement between the parties only started relatively recently meaning that these discussions will extend beyond 17 January.

2. Use extra time to complete registers

DORA requires firms to collate details about their contracts with ICT service providers. National regulators will ask for the registers containing this information in late March/early April. Firms should use the next couple of months to improve the data quality and completeness of their registers and reflect recent feedback from the European authorities.

3. React to last-gasp changes to the rulebook

The EU legislators have not yet adopted technical standards on the subcontracting of ICT services or threat-led penetration testing. More guidance on the scope of DORA is also expected. Firms should key a close eye on regulatory developments and how they might impact their implementation.

4. Prepare to engage with regulators

Now that DORA applies, national regulators will play a larger role in supervising compliance and enforcing breaches. Firms can anticipate more questions from supervisors about what they have done to meet DORA’s requirements and requests for documentation relating to their operational resilience.

5. Resource BAU compliance

DORA compliance is going to be an ongoing process. As firms seek to wind down their implementation projects, they will need to keep under review how they are resourcing business-as-usual DORA processes. These include managing ICT-related incident reports, updating the DORA register and engaging with the senior management on operational resilience metrics.

Explore our operational resilience webpage for more resources on DORA.