The Commission’s original proposal dates back to September 24, 2020. After opinions from the European Central Bank, European Data Protection Board and European Cyber Security Challenge, the Council approved the negotiating mandate on November 24, 2021. The proposal was then honed by the European Parliament and the Council.
With the Council’s approval on November 28, 2022, the legislative process is now complete. Because of the complexity, the standard implementation period of 12 months has been extended to 24 months. That means DORA will be applicable as of January 17, 2025.
Further interpretation through RTS
Now that the law has been passed, the relevant ESAs – such as EBA, ESMA and Eiopa – can develop Regulatory Technical Standards (RTS). These provide further interpretation and detail on certain points of the law and prescribe the use of certain standards or formats.
The table below lists the RTS that are yet to be developed and their deadlines.
How to prepare?
The table above illustrates that many details are still unknown. Moreover, 2025 still sounds far away. Nevertheless, we advise you to get started with the implementation of specific requirements from DORA, for example by making your internal processes and requested controls compliant.
DORA is a complex legal framework that contains many different topics and requirements, from IT Risk Management to contract and SLA management. In addition, DORA contains a proportionality principle. This means that the requirements described should be implemented in a way that is appropriate to the size, overall risk profile and nature, scale and complexity of the organization.
We recommend tackling the implementation of DORA project by project, by breaking it down into several steps, starting with an identification of the people responsible and/or involved in the topics from DORA. Who within the organization is responsible for ICT Risk Management (art. 5)? Who should be involved in determining the impact of DORA on the organization on this topic? Answering these questions first directly identifies the stakeholders and involved parties for the (possible) change process.
Next, an Article 6 analysis should reveal what, in terms of ICT Risk Management framework, applies. Next, you can start determining what “gaps” are present between DORA and the current setup of the organization. Technically, you have 24 months to fill these gaps, but don’t forget: the RTS must also be incorporated within the existing processes and procedures. In total, this brings us to four steps:
- Determine who is responsible and needs to be involved within your organization.
- Analyze per specific topic and DORA article what applies to your organization and to what extent.
- Determine which processes and controls your organization already has in place and implement what is still needed to meet the requirements from DORA.
- Adopt the prescribed templates and other requirements from the RTS and make them part of the processes and procedures.
Schematically, the steps you can take before DORA becomes applicable look like this:
A preview of DORA’s content
DORA is divided into several chapters. In the coming months, we will use a number of articles to discuss the topics in more detail and explain the main provisions.
DORA has the following chapter structure that are applicable for financial entities that will be subject to DORA:
- Chapter II (art 5 – 16): ICT Risk Management
- Chapter III (art 17 – 23): Management, classification and reporting of ICT-related incidents
- Chapter IV (art 24 – 27): Testing of digital operational resilience
- Chapter V (art 28 – 30): ICT risk management of third-party providers
In anticipation of our next article, you can get started on “identifying,” by identifying who within your organization is responsible for or involved in:
- The ICT risk management and ICT risk framework;
- The ICT incident process;
- The availability and continuity of applications and systems;
- Contract management and control of IT outsourcing risks;
These will also be the people who will have to provide input for step 2.