On 4 December 2024, the European Supervisory Authorities (ESAs) issued a statement on the application of the Digital Operational Resilience Act (DORA).
The statement notes that DORA and its technical standards and guidelines will apply from 17 January 2025 and financial entities and third-party providers are called on to advance their preparations to ensure readiness. It also emphasizes the importance for financial entities to adopt a robust, structured approach to meet obligations in a timely manner given that DORA does not provide for a transitional period.
Other key messages in the statement include that financial entities:
- Are expected to identify and address in a timely manner gaps between their internal set ups and DORA’s requirements.
- Should prepare for the new reporting obligations and in particular financial entities need to have their registers of ICT third-party providers’ contractual arrangements available for Member State competent authorities early in 2025, as the latter will have to report them to the ESAs by 30 April 2025.
The ESAs also invite those ICT third-party service providers that meet the criticality criteria published in May 2024 to assess their operational setup against DORA’s requirements. The first designation of critical ICT third-party service provider is expected to take place in H2 2025.