The compliance deadline for DORA of 17 January 2025 is just over two months away. Despite this, there are several elements which are still subject to ongoing discussion by the European Supervisory Authorities (ESAs).  

What is under discussion?

Of the ten Regulatory and Implementing Technical Standards (RTS and ITS) which accompany the DORA Directive and Regulation, six are yet to be approved by the European Commission (EC).  

While the final text of the six RTS and ITS is unlikely to change significantly, the recent rejection of the proposed ITS on the Register of Information highlights that some changes are possible. At a recent industry event, the Central Bank of Ireland (CBI) also indicated that the RTS on permitting subcontracting of ICT services supporting critical or important business functions may also be rejected pending further discussions on the provisions for chain-contracting.

As it stands, there is no clear timeline for when the final RTS and ITS will be approved by the EC. 

Further guidance is also expected from the ESAs on the interpretation of ICT services and ICT service providers in the context of both regulated services and non-ICT outsourced services that make use of a supportive ICT service.  

What has the CBI said?

The CBI is currently working through its own implementation project, with work underway to ensure that it is prepared to receive and act on incident reports received from Financial Entities and  that existing supervision teams are well supported by the CBI’s in-house technology team.  

The CBI have acknowledged the significant uplift required to implement DORA. While Financial Entities should make every effort to comply ahead of the 17 January 2025 deadline, the CBI appreciate that it is inevitable that certain workstreams may not be fully embedded by the compliance deadline and, where necessary, Financial Entities should have comprehensive plans in place to achieve compliance which is ‘not too-far reaching into the future’.  

For the approximately 30 Financial Entities who will be subject to threat-led penetration testing (TLPT) due to the higher systemic risk they pose to wider industry, the CBI has indicated that these entities will be directly contacted before the end of the year with the aim of scheduling workshops on the TLPT process.  

What should Financial Entities be focusing on?

With the compliance deadline looming, the key priorities for all Financial Entities should be:  

• To identify and map the dependencies of their critical or important functions.  

• To identify the ICT Third-Party Service Providers who support these critical or essential functions. 

• To work with these ICT Third-Party Service Providers and key internal stakeholders to collate the information necessary to complete the register of information. 

• To draft/update the policies and procedures required to underpin a robust ICT Risk Management Framework.  

• To update contracts in place with all ICT Third-Party Service Providers. 

• To plan for those non-priority actions which will not be completed by 17 January 2025.  

How can we help?

We are delighted to announce the launch of the Arthur Cox DORA Toolkit, comprising a series of concise, practical, and easy to read guides and checklists to help Financial Entities implement the requirements introduced by DORA. We hope that the DORA Toolkit is useful to you in assessing your current compliance status against DORA ahead of the 17 January 2025 deadline and to highlight those areas where further work may be required.  

Where the DORA Toolkit indicates that further work may be required, Arthur Cox is on hand to provide the necessary legal expertise and operational know-how to guide you through the process.  

Find out more here.

In addition to the DORA Toolkit, Arthur Cox can help you strengthen the digital and operational resilience of your firm in a number of ways, including: 

• Assisting with the design and development of business continuity and resiliency plans, policies and procedures.  

• Working with your organisation to document practical and actionable exit strategies and plans for critical service providers.  

• Advising on process and methodology development for the identification and mapping of critical providers, business services and functions.  

• Drafting and/or reviewing policy and procedural documents in the areas of Outsourcing, Technology & Cybersecurity, and Operational Resilience.  

• Assisting with the development of robust contractual terms relating to operational resilience and information security for inclusion in supplier contracts.  

• Supporting your implementation projects as part of the wider EU Digital Finance Strategy e.g. the EU AI Act, Digital Services Act, Digital markets Act, and the EU Data Act.   

If you would like to discuss any of the services mentioned above, please do not hesitate to contact your usual Arthur Cox contact(s), or any member of the Governance and Consulting Services or Technology and Innovation teams to discuss how we can help you.