Countdown to DORA: EU Supervisors Set Timelines for Critical ICT Oversight

The clock is ticking for Europe’s financial sector as the Digital Operational Resilience Act (DORA) prepares to go live on 17 January 2025. To pave the way, the European Supervisory Authorities (EBA, EIOPA, and ESMA) have announced how they’ll collect the vital information needed to designate Critical ICT Third-Party Providers (CTPPs). The message is clear: start preparing now, or risk falling behind.

Under a decision revealed today, competent authorities (CAs)—regulators tasked with overseeing financial institutions—must submit detailed registers of contractual arrangements between financial entities and their ICT providers by 30 April 2025. This information will form the backbone of the ESAs’ first major oversight task under DORA: deciding which ICT providers are “critical.”

This isn’t just an administrative box to tick. The ESAs have laid out a robust process to ensure consistency, reliability, and confidentiality. That means:

• Clear timelines to keep everyone on schedule.
• Thorough data checks to catch mistakes early.
• Strict confidentiality measures to safeguard sensitive information.

The ESAs are urging regulators to get ahead of the game by starting their data collection now. April might seem a long way off, but the complexities of compiling accurate and complete information could make it feel much closer.

Don’t Wait for Perfection

If you’re holding out for the final implementing technical standards (ITS) from the EU Commission, the ESAs have some advice: don’t. While the ITS are still under review, most of the requirements were spelled out in a Final Report released back in January 2024. Any tweaks from the EU Commission are expected to be minor.

The takeaway? Start gathering what you can, especially the trickier bits—like unique identifiers for your ICT providers. Scrambling for last-minute details isn’t a good look for anyone, particularly under the scrutiny of a brand-new regulatory regime.

To make the road to compliance a little smoother, the ESAs have been busy. In May 2024, they rolled out draft templates, data models, and a full technical package to guide financial entities through the reporting process. They even organized a dry run—think of it as a practice exam for reporting—where 1,000 entities tested their readiness.

The result? Lessons learned, systems refined, and a clearer path forward for everyone involved. Building on that, the ESAs have just published a fresh set of validation rules and a visual data model to help entities fine-tune their registers. The final, updated package is set to drop in December 2024.

A Date for Your Diary

Still feeling unsure? Mark your calendar for 18 December 2024, when the ESAs will host a virtual workshop to answer questions, share insights from the dry run, and walk you through the process. It’s free, and it’s a must for anyone still piecing together their approach. Registration closes on 16 December 2024.

DORA isn’t just another layer of red tape. It’s a bold attempt to strengthen the EU’s financial system against the growing risks of cyberattacks and IT failures. By identifying and monitoring the most critical ICT providers, the ESAs aim to minimize the ripple effects of any disruptions.

For financial institutions, this is a chance to tighten up their IT governance and show they’re serious about operational resilience. For compliance professionals, it’s a challenge—but also an opportunity to demonstrate value by getting ahead of the curve.

With just months to go until DORA’s implementation, the ESAs have made their expectations clear. Now it’s up to the financial sector to deliver. Time to roll up your sleeves.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.