John O'Connor

While it may seem that we have been talking about the Digital Operational Resilience Act (DORA) since the beginning of time, DORA’s application date finally arrived on Friday, 17 January 2025.

Many firms across the financial services industry are aware of the main themes of DORA, given the extensive communications from the European Supervisory Authorities (ESAs) and the Central Bank of Ireland (CBI), but perhaps there is less awareness of the key areas that will be in focus for Q1 and Q2 of 2025. 

Supervisory expectations 

As noted by the CBI at its DORA industry event in November 2024, within the first quarter of 2025, the CBI expects firms who are subject to DORA to have taken material steps towards DORA compliance, including the deployment of sufficient resources in a timely manner.

This includes an expectation that all firms who are subject to DORA will have carried out a comprehensive gap analysis based on their existing policies, processes and procedures against the requirements of DORA and based on that gap analysis has put in place a DORA remediation programme to achieve compliance within a clear timeline.

An exception to this relates to major ICT-related incident notifications. The CBI and the ESAs expect that firms subject to DORA will have their structures in place to ensure they can notify the CBI of any major ICT-related incident from 17 January 2025.

As part of this, the CBI has released the template to be used by firms when making the initial notification, along with the intermediate and final reports. Those templates can be found here.

Third-party service providers and sub-contracting

One of the more onerous obligations under DORA is the uplifting of agreements with third-party ICT service providers, especially those arrangements supporting critical or important functions of the firms (CIFAs).

One of the major issues, especially regarding CIFAs, is the fact that it remains somewhat unclear as to what is a third-party ICT service provider under DORA.

In apparent conflict with Recital 63 DORA, the ESAs have signalled that those regulated entities, who themselves are subject to DORA and, crucially, who are providing regulated services that are technologically enabled, would be exempt from the mandatory contractual principles under DORA.

It was noted at the CBI industry event that written Q&A and/or guidance would be provided by the European Commission in conjunction with the ESAs in December. As of the date of this article, this Q&A/guidance remains outstanding. 

Furthermore, the Regulatory Technical Standards specifying the elements that a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions (CIFA RTS), which make up a significant part of the mandatory contractual clauses required under DORA, remain outstanding.

The CIFA RTS was due to be adopted by 17 January 2025, but at the date of this article, they remain outstanding.

Register of information 

The obligations under DORA surrounding the register of information mandated by Article 28 DORA have received considerable attention given the onerous nature of these obligations. As DORA comes into effect, one of the upcoming compliance issues will be the round of first submissions by firms of their registers of information.

As noted by the CBI, the first submission deadline will be within the first week of April 2025 and will be expected in March each year from then on. The registers of information can be uploaded through the CBI portal as a return, no different from the returns currently expected to be filed with the CBI by firms.

Conclusion

DORA will no doubt dominate as a compliance issue for firms in 2025 and the years to follow, especially with so many outstanding items. This is proving to be a technical area, and we expect that technicality to only grow as the regulatory and supervisory expectations become clearer.

John O’Connor is a partner, Claire O’Connor is a senior associate and Conor Forde is an associate at William Fry LLP.