DORA round-up: January 2025

With the application of the Digital Operational Resilience Act (DORA) fast approaching, there was a flurry of DORA-related activity in December from the European Supervisory Authorities (ESAs) and the European Commission. Below is a round-up of what has been happening and where things stand heading into 2025.

LATEST POSITION ON THE IMPLEMENTING/REGULATORY TECHNICAL STANDARDS

December activity:

• The ITS to establish the standard templates for the register of information (which will relate to all contractual arrangements on the use of ICT services provided by ICT third-party service providers) came into force on 22 December (Implementing Regulation (EU) 2024/2956). Related to this, the ESAs (i) published an updated technical reporting package that includes rules for the register, and (ii) published a summary report and ran an industry workshop on the "Dry Run" exercise and the lessons learnt (see below for further information on these).
• The text of the RTS to specify the criteria for determining the composition of the joint examination team (the JET) was adopted by the Commission on 16 December (text available here) - this is now subject to a 3-month scrutiny period. The ESAs announced that they have started jointly recruiting the Heads of Unit for the JET. The JET will support each Lead Overseer in carrying out its oversight activities of critical ICT third-party service providers (CTPPs), which will include drafting the annual oversight plans and any remediation plans, as well as conducting the general investigations and inspections of CTPPs.

What is outstanding?

In summary we are still waiting for:

• the European Commission's text of the RTS on subcontracting
• the European Commission's text of the RTS on threat-led penetration testing

According to a December statement, the Commission is currently finalising the review of these two sets of standards, and adoption is planned for early 2025 – even if this were to happen before 17 January, the standards will still be subject to scrutiny.

• the European Parliament and European Council to confirm if they have any objections to the three sets of RTS currently subject to their scrutiny (the RTS to specify the reporting of major ICT-related incidents and 2 x the RTS on the harmonisation of oversight activities)
• the publication of the ITS to establish the reporting details (standards forms & templates) for major ICT-related incidents – these have been adopted by the European Commission but have still to be published in the Official Journal

In addition, we are expecting:

• the ESAs' feasibility report on a single EU hub for major ICT-related incident reporting – this is due to be delivered by 17 January 2025 under DORA. The ESAs indicated last year that they were on track to meet this deadline
• the designation of the first CTPPs – expected in H2 2025, according to a December statement from the ESAs
• a response from the European Commission to EIOPA's Opinion and concerns about the application of DORA to small insurance undertakings (EIOPA Opinion on the scope of DORA in light of the review of the Solvency II framework – November 2024)

ESAs STATEMENT ON THE APPLICATION OF DORA

In early December, the ESAs issued a Statement on DORA's application (JC 2024 99). The ESAs singled out reporting as a priority, highlighting the following:

• financial entities will need to have their registers available for competent authorities (CAs) early in 2025, so that the CAs can meet their reporting obligations to the ESAs by 30 April 2025. Some CAs have already set out their timescales. For example, in the Netherlands, the Authority for the Financial Markets has indicated that it will send an information request for the registers in February 2025; and
• it is important that financial entities are able to classify and report on their major ICT-related incidents from 17 January 2025.

While the ESAs reiterated that there is no transitional period for the application of DORA, they did make the following points of note: 

• the ESAs are working with CAs to "deliver a pragmatic, outcomes-focused and timely approach to implementation". They noted that CAs are prepared to supervise the DORA requirements "in a risk-based manner and taking into account [the ESAs'] Union Strategic Supervisory Priorities (USSPs) and the EBA’s 2025 European Supervisory Examination Programme (ESEP), which highlight cyber and digital operational resilience"
• financial entities (FEs) are expected to "identify and address in a timely manner gaps between their internal setups and the DORA requirements". As the ESAs have said before, they do not think that the DORA requirements are entirely new for many FEs; however, they do acknowledge that the compliance burden will be higher for those FEs that, up until now, have been subject to fewer requirements in respect of digital operational resilience management
• the first designation of CTPPs is expected to take place in H2 2025 – if an ICT TPP thinks that it may meet the criteria for critical TPP status, it should assess its operational set-up against the DORA requirements

REGISTER OF INFORMATION – REPORT AND WORKSHOP ON THE DRY RUN EXERCISE

• REPORT:
  • On 17 December, the ESAs released a summary report about the Dry Run exercise on reporting the register of information: The ESAs’ Dry Run exercise shows the goal of reporting of registers of information under DORA in 2025 within reach. The ESAs highlight that the key findings presented in the report should be carefully considered by all industry stakeholders and will help prepare them to report the registers in 2025.
  • Just over 1000 financial entities took part in the exercise (covering nearly 3,500 entities on a consolidated basis) and submitted data on a "best efforts" basis. The ESAs note that only 6.5% of the registers analysed successfully passed all data quality checks, although 50% of the remaining registers failed fewer than 5 out of 116 data quality checks. Notwithstanding this, the ESAs are confident that "the objective of having registers of sufficient quality in 2025 that would allow for the designation of critical third-party service providers (CTPPs) is not out of reach, subject to some additional efforts from the industry.:" 
  • According to the report, the most common issue with the provision of mandatory information was the provision of ID codes for the ICT third-party service providers (ICT TPPs) and their parent undertaking – this is a problem because the identification and grouping of ICT TPPs is essential for the CTPP designation process. As mentioned above, the ESAs have confirmed that the first designation of CTPPs is expected to take place in the second half of 2025. In November 2024, the ESAs set out the information that CAs must report to them for the designation of CTPPs and confirmed that the deadline for the submission of information by the CAs will be 30 April 2025 (see the ESAs' Decision).

• WORKSHOP:
  • The slides include an overview of the data assurance process, key lessons learnt for both the regulators and the wider industry, the timeline for reporting, and a section on key changes in the requirements for the register following the adoption of the final ITS on the standard templates for the register of information.
  • The final ITS added the EUID as alternative identifier for ICT TPPs that are established in the European Union (note that the LEI remains the identifier for financial entities) - the slides include detail on the implementation of the EUID. The slides also flag that the final ITS removed the requirement for FEs to keep expired contracts in the register.The ESAs ran an industry workshop on 18 December on the lessons learnt from the Dry Run exercise. The slides for the workshop can be found here.

REGISTER OF INFORMATION – TECHNICAL REPORTING PACKAGE

On 19 December,  the EBA released the final technical package for version 4.0 of its reporting framework (Reporting Framework 4.0). This package includes the updated technical requirements for the register of information (including the validation rules and changes to the previous data point model and taxonomy) following the adoption of the ITS on the standard templates for the register of information. The framework is expected to apply from March 2025, according to the EBA.

EIOPA TO REVOKE ICT-RELATED GUIDELINES

On 19 December, EIOPA announced that it will be making the following changes with effect from 17 January 2025. These are to avoid overlaps with DORA and to ensure a unified regulatory framework for digital operational resilience in the EU insurance and occupational pension funds sectors:

• the "Guidelines on information communication technology security and governance" (issued in the context of Solvency II)– revoked
• the "Guidelines on outsourcing to cloud service providers" (issued in the context of Solvency II) – revoked
• the "Opinion on the supervision of the management of operational risks faced by IORPs" (issued in the context of IORP II) – amended by removing the section on cyber risks along with all related references and annexes

EIOPA notes in its press release that national supervisors across the EEA are expected to adjust their national frameworks also to remove any duplication and to continue ensuring a level playing field.

NEW ANSWERS IN THE ESAs JOINT Q&A REGISTER

The ESAs maintain a joint register of all questions that are submitted to them, along with the formal responses, and this includes a number of questions relating to DORA: Register of the Joint Q&As

One recently-answered question relates to the RTS specifying the criteria for the classification of major ICT-related incidents (Delegated Regulation (EU) 2024/1772). The question was whether all of the components listed in Article 6 of the RTS are required cumulatively to determine the criticality of the services affected by an ICT-related incident. Under Art. 18(1) of DORA, the 'criticality of the services affected' is one of the criteria against which FEs must classify and determine the impact of an ICT-related incident.

"Article 6 (Criticality of services affected): For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of [DORA], financial entities shall assess whether the incident:

• affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity;
• affects or has affected financial services provided by the financial entity that require authorisation, registration or that are supervised by competent authorities;
• constitutes or has constituted a successful, malicious and unauthorised access to the network and information systems of the financial entity."

The ESAs have confirmed that an impact on any of the components listed in Article 6 should be considered as affecting critical services.

Note that the Joint Q&As register is separate from the Dry Run FAQ register that was maintained by the ESAs for that exercise. However, questions raised during the Dry Run exercise about the definition of ICT services and ICT service providers under DORA are due to be formally answered via the Joint Q&As "in due course".