The EU’s Digital Operational Resilience Act applies to in-scope firms from today. The Act does not provide for a transitional period and those entities in-scope of the regime are now required to be compliant with its requirements.

What makes the absence of a transitional period a challenge is the relatively recent release of key implementing technical standards (ICTs) including that covering the register of information in December.

But, ESMA and the relevant European Supervisory Authorities (ESAs) issued a statement affirming that any compliance gaps should be addressed in a “timely manner.”

The statement pointedly emphasized reporting obligations under DORA, and, in particular, the submission of registers of contractual arrangements with ICT third-party providers. According to the statement these must be available “early in 2025” because the relevant competent authorities will be required to report on these to the ESAs by 30 April 2025.

“As with most major regulatory implementation deadlines, we all seem to be fumbling towards the finish line. DORA introduces very specific and prescriptive requirements and has lots of moving pieces.” 

Nathanial Lalone, Financial Markets and Funds partner at Katten Muchin Rosenman UK LLP

ESMA and the ESAs also released the results of the 2024 DORA dry run exercise in December. Just over one thousand (1,039) financial entities participated in the exercise by submitting their registers, which had a reporting deadline of 30 August 2024. Of these submissions 947 registers (91%) passed the initial technical integration checks. But only 6.5% of these successfully passed all data quality checks. The most frequent failure was missing mandatory information, which accounted for 86% of all errors.

Nathaniel Lalone, Financial Markets and Funds partner at Katten Muchin Rosenman UK LLP, was very frank in his comment on what he is observing in practice currently: “As with most major regulatory implementation deadlines, we all seem to be fumbling towards the finish line. DORA introduces very specific and prescriptive requirements and has lots of moving pieces.” 

Key challenges

He pointed to two key compliance challenges that he and other specialists at Katten have seen in connection with DORA implementation at this late stage:

“First, in terms of updating contracts, there is a ‘battle of the forms’ between financial entities, who want all their services providers to use their standard form of agreement, and service providers, who want all their financial entities to use their own standard form of agreement. The question is: who has the stronger negotiating power and who blinks first?

“Second, the compliance burden ratchets up for service providers supporting ‘critical or important’ functions, and there’s some push-and-pull between financial entities and their service providers over the proper criteria and process to use when making that decision. This leaves open the risk that some providers of a given service are designated by their financial entities as supporting ‘critical or important’ functions and subject to heightened obligations, whereas providers of a nearly identical service are not. That seems inequitable and it’s not clear how to solve for those discrepancies with the rules as they currently stand.”

And he said that he fully empathized with firms because existing compliance and reporting obligations have not gone away, which means that firms need to grapple “to integrate DORA compliance with existing requirements and internal systems, while managing resourcing constraints.”

In a sign that preparations for the incoming regime are also ongoing on the part of the regulators, the ESAs announced the vacancy for Heads of Unit in the joint oversight team responsible for ICT Critical Third-Party Providers with the deadline for applications set at 30 January.

Also useful to note is the publication of a limited number of FAQs connected with DORA in a package of Q&As released on the ESMA website on 10 January.

These include questions on:

• microenterprises and RMF;
• ICT-related incidence – critical services affected;
• ICT-related incidents – duplicate incident reporting; and
• oversight framework of CTPPs – exemption for non-EU ICT Intra-group service providers.

You can find our other DORA coverage here.