The ESAs Solidify Their Expectations Under DORA

With just over 100 days remaining until the 17 January 2025 compliance deadline for the EU’s Digital Operational Resilience Act (DORA), the pressure is mounting for firms to act. The European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) are accelerating efforts to clarify critical elements of the Act. Recently, the ESAs released a second wave of DORA policy products, which include new technical standards and guidelines on incident reporting, penetration testing, and oversight frameworks, underscoring the urgency for firms to ensure readiness.

The ESAs’ second batch of policy products

Broadly, DORA aims to ensure that all participants in the financial system are well-prepared to withstand, respond to, and recover from information and communications technology (ICT)-related disruptions and threats. The latest updates provide clarity in critical areas, but with the compliance deadline rapidly approaching, firms must act now to implement these changes. The recent policy products include new technical standards in several areas, including:

1. Enhanced incident reporting

A key element of the recent policy products is to provide financial entities with greater clarity around the incident reporting requirements of DORA. The streamlined reporting process reduces the number of fields from 84 to 59, allowing firms to focus resources on immediate incident response. Additional firms now have 24 hours to submit an “intermediate report2 and 72 hours for the final report – a small window to ensure accurate reporting.

2. Threat-Led penetration testing

To help bolster resilience, the DORA requires regular and comprehensive testing of ICT systems, including threat-led penetration testing. The recent updates help clarify which firms will be required to engage in penetration testing and which may be allowed to opt out, as well as key roles and responsibilities for testing teams, the appropriate testing process and timelines. The clock is ticking for firms to establish testing processes and remediation plans for identified vulnerabilities.

3. Third-Party risk management

Given the critical role of third-party service providers to the overall resiliency of the financial markets, DORA mandates stringent third-party risk management. Financial entities are required to conduct thorough due diligence and continuous monitoring of their third-party ICT service providers. The recent updates from the ESAs provide guidance to ensure vulnerabilities in the supply chain are addressed immediately, reinforcing the need for prompt and ongoing oversight.

4. Strengthened governance

Governance structures within financial entities are another focal point, with specific requirements senior management and boards of directors to ensure accountability and effective oversight of ICT risk. These enhanced frameworks will drive greater responsibility for firms’ digital operational resilience.

Next steps

The ESA's second batch of policy products represents a pivotal step in strengthening the digital operational resilience of the financial sector. However, with just over 100 days until the compliance deadline, firms must now rise to the challenge. Taking action to adopt best practices and ensure DORA compliance within this short window will be crucial to safeguarding both the firm and the broader financial ecosystem. Partnering with a third-party provider to assess your firm’s current digital and operational resilience program and identify gaps in DORA adherence can be a valuable step in ensuring timely compliance.

Join our webcast

Still trying to determine how to comply with DORA? Join us for an insightful webcast where we will be joined by Sidley Austin to cover challenges posed by DORA and what you can do now to meet the fast-approaching compliance date. We will discuss:

• Understanding the key requirements of DORA 
• Identifying the sectors and businesses impacted 
• Strategies for ensuring compliance and operational resilience 
• Best practices for integrating DORA into your existing compliance framework 
• Tools and technologies to support your compliance efforts 

Register

How we help

ACA’s cybersecurity and risk experts are well-positioned to assess your firm’s current digital and operational resilience program and identify gaps in adherence with DORA. We will evaluate the current status to the following key aspects of the regulation:

• ICT governance and organisation
• ICT risk management framework
• ICT systems, protocols, and tools
• ICT incident management, classification and reporting
• Digital operational resilience testing
• Third-party provider risk management
• Information sharing on cyber threat and intelligence

To learn more about how we can help you meet the DORA compliance date, or for more information about how we can help you launch, grow, and protect your firm, please reach out to your consultant or contact us here.