Navigating DORA: January 2025 and Beyond

The key compliance deadline for the Digital Operational Resilience Act (DORA) on January 17, 2025, has passed, and supervisory authorities are now focused on swiftly collecting the Registers of Information from financial institutions. Meanwhile, many firms still have work to do to achieve and sustain DORA compliance; a recent survey indicates that nearly half of UK-based institutions are expected to miss the deadline[1]. Looking ahead, the landscape of operational resilience will continue to evolve, and businesses must adapt to maintain their competitive edge and safeguard their operations.

Background

DORA aims to enhance the digital operational resilience of financial entities across the EU, ensuring they can withstand, respond to, and recover from all types of ICT-related disruptions. As organizations implement the requirements, it is essential to understand the implications of this regulation and the steps necessary to align with its standards.

Please refer to the prior blogs in this series for further details:

1. Regulatory spotlight: The Digital Operational Resilience Act DORA Q3 2024 Update

2. Preparing for DORA Compliance: A Guide for Organizations

Activities to Focus on Now and Going Forward

As we navigate the complexities of achieving digital operational resilience, it is crucial to concentrate on key activities that will ensure compliance and long-term sustainability. The following points outline the critical steps organizations should take now and, in the future, to meet regulatory requirements and maintain robust operational resilience:

1. Complete Residual Remediation and Short-Term Enhancements to Achieve Compliance:  

Given the timeline challenges, most firms will have residual work to do, and a proportionate approach is advisable. Organizations should prioritize activities and ICT providers that significantly contribute to improved resilience. Developing a plan with clear ownership and timelines for residual steps beyond January is essential.

2. Demonstrate Compliance Status to Senior Management and Supervisory Authorities**: 

Organizations need to prepare a clear articulation of what has been achieved and what remains outstanding. An independent assessment of their compliance status may also be beneficial. Having a readily updatable report can facilitate transparency in discussions or inquiries from regulators.

3. Embed Changes Made to Achieve Compliance:

It is crucial to ensure that the changes made are sustainable, recognizing that actions are often taken tactically to meet regulatory deadlines. Continuous improvement through interactions with regulators and peers is vital. Compliance with DORA is not a one-time task; it aims to establish a sustainable and continuously improving approach to digital operational resilience.

DORA Compliance Short-Term Focus

To ensure compliance with DORA, firms must concentrate on two key areas in the short term:

1. Register of Information

The European Supervisory Authorities (ESAs) have clarified their expectations regarding the compilation of registers for ICT services, requiring these to be submitted by national regulators no later than April 30, 2025. In practice, national regulators will request firms to submit their registers before this deadline. For example, the Central Bank of Ireland has indicated that it will ask firms to submit their registers during the first week of April 2025.

Firms that participated in the voluntary dry run of the collation of the Register of Information conducted by the ESAs in 2024 have identified challenges, such as obtaining Legal Entity Identifiers (LEIs) for all ICT providers. Firms need to address this issue as part of their compliance efforts. Many other firms will be undertaking this exercise for the first time and should be prepared for initial difficulties in pulling the required data in the prescribed format.

S&P Global is working with customers to leverage our KY3P solutions to assist in compiling the Register of Information. These tools streamline the reporting process and facilitate the implementation and ongoing adherence to the broader DORA third-party management requirements.

2. Assessing ICT Providers Against DORA Standards

Many firms have yet to implement programs to assess all their ICT providers against DORA due diligence standards, or those assessments are incomplete, making this a key priority. Solutions such as S&P Global's KY3P Assessments service can help expedite and sustain this effort moving forward.

The S&P Global Third-Party Assessments service facilitates the efficient exchange of due diligence data between third-party service providers and their customers. The Assessments solution provides direct access to Due Diligence Data, a comprehensive data utility aligned with DORA’s critical risk domains, including data on significant critical providers active in the financial services industry. This service offers an efficient way to meet DORA expectations by performing risk-proportionate due diligence, assurance, and audits and inspections of third-party providers, easing the burden on financial institutions and their providers.

Looking Ahead

The journey toward compliance with DORA is not merely about meeting regulatory requirements; it is an opportunity for organizations to strengthen their operational resilience and enhance their risk management frameworks. For ICT providers, this marks the beginning of the journey, with the data collected informing the ESAs in determining which ICT third-party service providers should be designated as "critical" to the EU financial system. The first designations are expected in the second half of 2025.

As we move into 2025 and beyond, organizations that invest in their digital operational resilience will not only comply with DORA but also position themselves for long-term success in an increasingly digital world.

Discover more insights on how we can help streamline your DORA compliance efforts here.

[1] Resilience Forward.com - Nearly half of UK financial services organizations will miss DORA deadline