The Digital Operational Resilience Act has been in preparation since its publication in December 2022. Financial entities covered by DORA \u2014 banks, insurers, investment firms, payment institutions, and a significant portion of their critical ICT third-party providers \u2014 have had over two years to prepare for its application date of 17 January 2025.<\/p>\n
That date is now here. The supervisory expectations that apply from January 2025 are operational, not transitional. The European Supervisory Authorities (ESAs) \u2014 EBA, EIOPA, and ESMA \u2014 have published the Regulatory Technical Standards that detail what DORA requires in practice. National competent authorities are equipped with the supervisory mandate that DORA provides. The question is no longer whether to prepare, but whether the preparation that was done is adequate for the supervisory environment that has arrived.<\/p>\n
The honest answer, based on the assessment activity that took place across European financial services in the second half of 2024, is that most firms completed DORA compliance programmes of varying depth. The firms that built genuine operational resilience programmes alongside the compliance documentation are better positioned than the firms that built compliance documentation alongside minimal operational change. The difference will become visible over the next twelve to eighteen months of supervisory engagement.<\/p>\n
DORA’s five pillars are well-documented in compliance guidance. The operational translation of each pillar into day-to-day practice is where the gaps typically sit.<\/p>\n
ICT risk management under DORA requires firms to have a framework that is board-approved, regularly reviewed, and genuinely operationalised in the ICT decision-making process rather than existing as a documented governance structure that is referenced at annual reviews. The DORA ICT risk management framework is not a document; it is a set of processes, controls, and governance routines that run continuously. The difference between a compliant document and an operationalised framework is visible in whether ICT risk considerations appear in product development decisions, vendor engagement processes, and architecture reviews as a matter of routine.<\/p>\n
ICT-related incident reporting has specific timelines under DORA that require operational processes to support them. Major incident initial notifications within four hours of classification, intermediate reports within 72 hours, and final reports within one month. These timelines presuppose an incident classification capability that can distinguish a major DORA incident from a significant operational incident within the four-hour window, an escalation process that connects the technical detection to the regulatory notification decision within that timeframe, and an external communication capability that can produce a regulatorily adequate notification. Each of these is a process design and tooling investment that many firms discovered was less mature than they expected during tabletop exercises.<\/p>\n
Digital operational resilience testing requirements include vulnerability assessments, scenario-based testing, and for significant firms, Threat-Led Penetration Testing (TLPT) as defined in DORA’s threat-led testing framework. TLPT is a specific testing methodology conducted by qualified testers using intelligence-led attack simulation, and the operational readiness to undergo TLPT \u2014 both in the firm’s own preparation and in the coordination with the national competent authority that TLPT requires \u2014 is a substantive programme of work rather than an extension of existing penetration testing practice.<\/p>\n
ICT third-party risk management is the area where the most significant operational gaps exist across the industry. DORA requires firms to maintain a register of all ICT third-party providers, to classify critical or important third-party providers and perform enhanced due diligence, and to ensure that contractual arrangements with third parties meet DORA-specified requirements. The register requirement alone has revealed to many firms that their inventory of third-party ICT relationships is less complete than they assumed. The contract amendment programme required to bring existing contracts into DORA compliance is a multi-year effort at most firms and is unlikely to be complete at January 2025.<\/p>\n
DORA introduces a new regulatory category: Critical ICT Third-Party Providers (CTPPs). The ESAs will designate firms as CTPPs based on their systemic importance to the EU financial sector. Designated CTPPs will be subject to direct supervision by the ESAs, including the power to require information, conduct inspections, and impose periodic penalty payments.<\/p>\n
The CTPP designation process has not been completed as of January 2025, but the designation framework is clear enough that major cloud providers, core banking platform providers, and other providers with significant concentrations of EU financial sector clients are preparing for designation. The firms that rely on these providers need to understand what CTPP designation will mean for their relationship: enhanced oversight of the provider, but also potential requirements on the firms themselves regarding how they manage their relationship with CTPPs.<\/p>\n
For financial services CTOs, the CTPP question has two practical implications. First, assess the concentration of critical ICT dependency on providers who are likely to be designated as CTPPs, and understand what the supervisory oversight of those providers will add to the risk management requirements for using them. Second, engage with those providers now to understand their DORA readiness posture, because the provider’s DORA compliance quality affects the firm’s ability to demonstrate adequate third-party risk management.<\/p>\n
National competent authorities in major EU financial services jurisdictions have been building DORA supervisory capacity alongside the regulation’s development. The supervisory approach across jurisdictions involves initial self-assessment questionnaires, followed by targeted supervisory engagement for firms where the self-assessment responses indicate gaps, and thematic reviews focused on specific DORA requirements.<\/p>\n
The self-assessment questionnaires that national competent authorities will issue are the first formal supervisory engagement under DORA for most firms. The quality and honesty of the responses will affect the supervisory relationship that follows. Supervisors are experienced in the gap between regulatory submissions and operational reality; a response that presents a more complete picture than the operational facts support will not survive the follow-up engagement it generates.<\/p>\n
The firms that approach DORA supervision as a compliance exercise to be managed will have a different supervisory relationship than the firms that approach it as an operational resilience programme to be demonstrated. Supervisors can distinguish between these orientations relatively quickly, and the supervisory intensity that results is different.<\/p>\n
The practical programme for financial services CTOs in the first half of 2025 has three components.<\/p>\n
Gap closure on the most material operational gaps identified in pre-January assessment. The incident reporting process, the third-party register, and the ICT risk framework governance routines are the most common gaps with the most immediate supervisory relevance. Investment in closing these gaps has a higher return than investment in documenting areas that are already compliant.<\/p>\n
TLPT preparation for firms that are in scope for threat-led testing. TLPT preparation requires identifying target systems, engaging qualified threat intelligence providers, and coordinating with the national competent authority on the testing scope and approach. This preparation takes three to six months for a first TLPT engagement; starting in early 2025 positions firms appropriately for testing in the second half of the year.<\/p>\n
Third-party programme sustainability. The contract amendment and enhanced due diligence programme for DORA-compliant third-party relationships is a multi-year programme that needs a sustainable governance structure rather than a one-time effort. Building the ongoing third-party risk management capability that DORA requires as a permanent feature of the operating model is the transition from compliance programme to operational norm.<\/p>\n
DORA has arrived. The question now is operational.<\/p>\n","protected":false},"excerpt":{"rendered":"
DORA’s application date of 17 January 2025 has arrived. For financial services CTOs across the EU, this marks the transition from preparation to operation \u2014 and the gap between compliance documentation and operational readiness is larger than most organisations publicly acknowledge.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-143","post","type-post","status-publish","format-standard","hentry","category-executive-briefings"],"_links":{"self":[{"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/posts\/143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/baecke.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=143"}],"version-history":[{"count":0,"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/posts\/143\/revisions"}],"wp:attachment":[{"href":"https:\/\/baecke.io\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/baecke.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/baecke.io\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}