Page Contents
Related areas
Key contacts
While EU financial services firms have been progressing preparations to ensure their readiness for the Digital Operational Resilience Act (DORA), some firms may not be in a position to achieve full compliance by the DORA implementation date of 17 January 2025. Therefore, it is important to consider comments made by the Central Bank of Ireland (CBI), the European Supervisory Authorities (ESAs) and the European Central Bank (ECB) regarding DORA implementation and operational resilience supervisory expectations. The key points from these comments are outlined in this briefing.
‘Day 1/Day 2’ and multi-year approach to supervision
We previously reported that Gerry Cross, Director of Capital Markets and Funds in the CBI and chair of the ESAs’ ‘Sub-Committee on DORA implementation’ noted that there is benefit in taking a “Day 1/Day 2 perspective” with regard to supervisory expectations for initial implementation of new legislation such as DORA. Mr Cross stated that “there is often merit in seeing the value in a committed journey by firms and supervisors from initial implementation and compliance to a richer, more fully achieved implementation over time”. In relation to achieving full implementation over time, Mr Cross emphasised that supervision of digital operational resilience is "not a once-and-done exercise" and it is "optimal to adopt a multi-year, multifaceted perspective". He noted that while the ESAs have taken the view that they must find the best solutions possible in the limited time available prior to implementation, they recognise that the new framework will need to evolve and adapt over time, referencing possible future level 3 guidance.
Mr Cross further stated at the CBI’s ‘DORA Industry Briefing’ that a ‘Day 1/Day 2’ approach would involve taking a “high quality implementation perspective” and the CBI’s expectations will be demanding. For example, firms are expected to clearly identify any gaps between the legal requirements and their compliance and to close those gaps. Firms’ performance will be assessed by having regard to an appropriate starting point, the quality of their approach and their timely closing of any gaps. Importantly, key aspects, such as incident identification and reporting, are expected to be in place without delay.
ESAs’ implementation expectations
The ESAs issued a joint statement in December 2024 emphasising the importance for firms to adopt a “robust, structured approach” to satisfying their legal obligations under DORA in a timely manner.
Gaps identified as part of a gap analysis should be addressed in a timely manner. The ESAs state that the DORA requirements are not entirely new, as many firms have been subject to a wide array of existing EU and national sectoral guidelines, regulations or supervisory expectations in the information and technology (ICT) risk management area (including but not limited to risk management, incident reporting and management and outsourcing). That said, the ESAs acknowledge that efforts to comply with DORA may be higher for firms which have been subject to less sectoral requirements to date.
The ESAs also commented on certain key areas. It is expected that firms make their registers of information on contractual arrangements with ICT third-party service providers available to their competent authorities “early in 2025”. This is to enable the competent authorities to report the information to the ESAs by 30 April 2025 (the deadline set by the ESAs in their Decision issued on 8 November 2024). At its recent Industry Briefing, the CBI stated that “as it currently stands, financial entities should be prepared to submit the registers to the Central Bank of Ireland in the first week of April 2025”.
In relation to incident identification and reporting, it is important that firms are equipped to classify and report their major ICT-related incidents from 17 January 2025. The latter is important here in Ireland given requirements on board and senior executives under the ‘Individual Accountability Framework’ (including the ‘Conduct Standards’) to ensure adequate regulatory reporting.
Supervisory priority for the ECB
In December 2024, the ECB announced its supervisory priorities for 2025 to 2027. One of its priorities is strengthening banks’ ability to withstand immediate macro-financial threats and severe geopolitical shocks by addressing deficiencies in operational resilience frameworks, particularly in relation to ICT outsourcing and ICT security and cyber risks. In a recent ‘Supervision Newsletter’, the ECB noted that, while digital operational resilience has consistently been identified as a supervisory priority over the past five years, the ECB will further increase its efforts to ensure compliance from 2025 onwards, via on-site inspections and targeted reviews. Key areas of focus include cybersecurity controls, ICT outsourcing, ICT change management, mitigation, response and recovery, data quality management and governance and ICT risk management – the ECB has found weaknesses and room for improvement in relation to all these areas to date.
Conclusion
It is essential for EU firms to adopt a proactive and structured approach to meeting their legal obligations and regulatory expectations. Indeed, the ECB expects firms to establish mature frameworks in which business and technology functions are fully aligned to optimise incident management, business continuity management and crisis communication. By addressing any compliance gaps promptly, firms can not only meet their legal obligations but also enhance their overall digital operational resilience.
For further information on DORA and its impact on your firm, please contact Patrick Brandt, Partner, Ciara Brady, Senior Associate, Louise Hogan, Senior Associate, Sarah Lee, Senior Knowledge Lawyer or any member of ALG's Financial Regulation Advisory team.
Date published: 17 January 2025
