Dec 9 / IT CPE Team

Key Takeaways from the EU's New Digital Operational Resilience Act (DORA) Regulation

On November 29, 2024, the European Commission introduced Commission Implementing Regulation (EU) 2024/2956, which sets detailed technical standards for the application of the Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554. This regulation, effective 20 days after its publication, aims to standardize operational resilience requirements for the EU financial sector. Developed in collaboration with European Supervisory Authorities (ESAs), DORA emphasizes transparency, consistency, and effective risk management.

Key Requirements Under DORA Regulation

DORA’s technical standards introduce a comprehensive framework for financial entities to improve operational resilience, focusing on managing ICT risks effectively.

1. Comprehensive Register of Information

Financial institutions must maintain a detailed register of information on their contractual relationships with ICT service providers. This register should include:

  • Legal Entity Identification:
    • Legal Entity Identifier (LEI) and European Unique Identifier (EUID) for ICT third-party providers.
    • Country of origin, using ISO 3166-1 alpha-2 codes.
  • Organizational Structure:
    • Document group-level and entity-level hierarchies.
    • Reporting at entity, sub-consolidated, and consolidated levels.
  • Contractual Arrangement Tracking:
    • Assign unique reference numbers to each contractual relationship.
    • Include information on standalone and subsequent arrangements.

This comprehensive register helps monitor ICT risks and enhances consistency in reporting across the EU.


2. Classification and Ranking of ICT Providers

DORA emphasizes managing risks related to ICT providers by requiring:

  • Ranking of Providers:
    • Rank the direct ICT provider as "1", with subcontractors ranked incrementally (e.g., "2" for the first subcontractor).
  • Documenting Subcontracting Chains:
    • Track critical subcontractors and ensure their role in ICT service delivery is documented.
  • Assessing Concentration Risks:
    • Evaluate if reliance on a single provider or a small number of providers poses operational threats.

This classification process ensures effective risk tracking and mitigation across all ICT service layers.


3. Standardized Data Reporting Templates

  • Technology Neutrality:
    • Predefined columns and flexible rows ensure scalability for institutions of varying sizes.
  • Data Consistency Across Organizational Levels:
    • Maintain uniform data at entity, sub-consolidated, and consolidated levels to ensure seamless integration.
  • Relational Data Structure:
    • Use unique identifiers like Contractual Reference Numbers, LEIs, and Function Identifiers to interconnect data.

    These templates enable consistent reporting and improve regulatory oversight across the financial sector.


    4. Risk Assessments for Critical ICT Services

    • Oversight of Intragroup and External ICT Arrangements
    • Principles of Data Quality and Accuracy
    • ICT Service Supply Chain Transparency
    • Mandatory Reporting of Critical ICT Dependencies


    5. Implications for Financial Institutions

    • Enhanced Compliance Requirements
    • Investment in Technology and Training
    • Regulatory Oversight and Audits
    • Strengthened Risk Mitigation Strategies


    Compliance Timeline

    • December 2024: DORA regulation comes into force.
    • First Half of 2025: Begin transitioning to standardized templates and updating information registers.
    • End of 2025: Complete risk assessments and finalize compliance systems.
    • Ongoing: Regular audits and updates to ensure continuous compliance.


    Navigating the Future of Digital Operational Resilience

    DORA represents a significant shift in managing ICT risk within the EU financial sector. By standardizing data reporting and risk assessments, it ensures financial stability in an increasingly digital landscape. Institutions must act swiftly to align their practices with DORA’s requirements to safeguard operational resilience and meet regulatory expectations.

    For further insights into compliance, consult the European Commission’s Official Journal or your regional regulatory body.

    Share this page: