The EU’s Digital Operational Resilience Act (DORA) becomes binding on 17 January 2025. As the compliance deadline approaches, EU financial regulators (ESAs) have issued a flurry of statements on the act, including:
- An ESA statement on DORA compliance.
- The publication of the final Implementing Technical Standard for registers of information.
- An ESA report on regulators’ DORA “dry run” of registering information.
- The European Insurance and Occupational Pensions Authority’s (EIOPA’s) revocation of its previous guidance on IT risk, including its guidelines on cloud outsourcing, on the basis that DORA has subsumed those guidelines.
Below we set out four takeaways from the ESAs’ recent statements for organizations preparing for DORA, and what organizations should do now.
ESAs Have Indicated a Strict Approach to Enforcement
DORA’s obligations are novel and wide-reaching, so achieving compliance is a significant undertaking — particularly as many core aspects of DORA (such as the delegated regulations on subcontracting registers of information) either have not yet been finalized or were only finalized in the last month. Many organizations will therefore likely struggle to achieve compliance by the January 2025 deadline, and had hoped for a phased enforcement approach or transition period for DORA obligations. Instead, the ESAs have reiterated that DORA has a strict 17 January 2025 deadline, and that the ESAs expect comprehensive compliance by that date.
While ESA posturing is to be expected, how enforcement will proceed in practice remains to be seen. Given that DORA significantly expands the scope of EU financial regulation of information technology, many European financial regulators simply will not have the expertise or bandwidth to enforce DORA fully on day one, and will instead have to take a targeted enforcement approach, focusing on the most significant and most visible areas of noncompliance. Organizations should adapt their DORA compliance programs accordingly.
Registers of Information Are the Top Priority, and Organizations Should Focus On Accuracy More Than Comprehensiveness
The ESAs’ statements indicate clearly that DORA registers of information will be the top enforcement priority, and ESAs will expect organizations to submit those registers in early 2025 to enable the regulators to identify critical third-party suppliers to the EU financial sector.
Given that the final implementing regulation for the register of information was only published in December 2024, this is an extremely tight deadline (though the ESAs argue that drafts of the implementing regulation were available in January 2024). Organizations should therefore prioritize the completion of the register of information and, given the time constraints, consider pragmatic approaches to preparing a “good enough” register rather than attempting to achieve 100% compliance. In this regard, the ESAs’ dry run feedback focuses on the accuracy and technical compliance of a company’s register of information (e.g., whether registers use the correct naming conventions and file formats). Therefore submitting a polished register that comprehensively and accurately covers an organization’s most significant IT providers may be more advantageous than submitting incomplete information about the full set of IT providers.
Sophistication Differs Between Sectors
The ESAs’ statements frequently note that DORA obligations are largely similar to existing guidelines, such as the European Banking Authority’s guidelines on outsourcing arrangements, meaning that organizations should already be (partially) DORA-compliant. While this is true for entities in the most heavily regulated parts of the financial sector (such as banking), entities that have not been subject to those guidelines, such as alternative investment fund managers, face a steeper hill to climb because their existing compliance infrastructure is likely to be less extensive.
This divergence in complexity and sophistication across sectors was reflected in the ESAs’ register of information dry run, which found, for example, that the registers of information submitted by insurers and banks contained an average of roughly five times as many data points as those submitted by alternative investment fund managers.
Enforcement Will Vary by Country
Although DORA is, in theory, consistent across the EU, in practice different member states will take different approaches to enforcing DORA. The ESA dry run exercise, for example, disproportionately involved financial entities based in Austria, Malta and Hungary, presumably because the regulators in those jurisdictions emphasized participation in the dry run.
Similarly, the Luxembourg financial regulator implemented a range of DORA-inspired rules based on early drafts of DORA, and has undertaken a detailed consultation on DORA readiness, so will have high expectations for organizations’ compliance. In contrast, many EU member states have not yet transposed Directive 2022/2556, which introduces DORA-related amendments into existing financial services laws.
What To Do Now
Given the limited time before the DORA deadline, DORA-regulated entities will need to make pragmatic choices about which DORA obligations to prioritize. Companies should look to identify “quick wins” that maximise regulator-facing compliance — such as preparing board minutes, updating incident response plans, fleshing out the register of information and preparing DORA-compliant contractual addenda with key suppliers. Implementing these priority obligations now will allow an organization time to implement any remaining lower-priority DORA obligations in a phased manner through 2025.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.