European Supervisory Authorities Urge Financial Entities to Ensure Timely Compliance with EU Digital Operational Resilience Act

The European Supervisory Authorities have published a joint statement on the application of the EU Digital Operational Resilience Act. The ESAs emphasise that as DORA does not provide for a transitional period, it is important for financial entities to adopt a robust, structured approach in order to meet their obligations in a timely manner. DORA, and the technical standards and guidelines supplementing it, applies from January 17, 2025. Financial entities are expected to identify and address in a timely manner gaps between their internal setups and the DORA requirements. Financial entities should also prepare for the new reporting obligations. In particular, financial entities need to have their registers of ICT third-party providers' contractual arrangements available for competent authorities early in 2025, as the latter will have to report them to the ESAs by April 30, 2025. The ESAs note that competent authorities will supervise compliance with the DORA requirements in a risk-based manner considering the risk profile, size, complexity and scale of financial entities. The ESAs invite ICT third-party service providers, which consider they may meet the criticality criteria published in May, to assess their operational setup against DORA requirements. The first designation of critical third-party service providers is expected to take place in H2, 2025.

Return to main website.