How well is Europe’s financial sector and its IT supply chains prepared for DORA?

Among other milestones, 2024 will likely be remembered as the year of extensive preparations for compliance with Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA”), which applies from 17 January 2025. With the entire financial sector – including its extensive IT supply chain – impacted by this new EU cybersecurity framework, preparations have been intense. We reflect on the progress made so far and look ahead to  the challenges and changes which will arise as the application period begins.

DORA, as a European regulation, will be directly applicable to virtually all the regulated EU financial sector, comprised of license holders and other regulated entities. Adjustments within existing regulatory risk management frameworks and the introduction of entirely new ones have been one of the top priorities for financial entities all over Europe. Developing a robust ICT governance framework that aligns technological strategies with business objectives and regulatory requirements has been key. This includes policies, processes, and tools aligned with DORA’s proportionality principle (Article 4), ensuring scalability according to the institution's size, risk profile, and operational complexity. However, not only financial entities have been investing time and resources into such adjustments. Quite extensive changes have also been required of the ICT third party service providers (“ICT TPSPs”) who deliver ICT services to financial entities. This inclusion of ICT TPSPs has not come without cause, as regulators have observed that more than 40% of cyberattacks against financial entities are being conducted by attacks on ICT TPSPs.

A lot has already been said and written by our experts in relation to various parts of DORA and this article aims to be a wrap-up of last year’s efforts as well as a reflection on the current status of DORA’s implementation, and a glance into the DORA-related future. 

What were the most interesting topics for financial entities?

Looking back at 2024 

DORA intends to foster digital resilience in the financial sector by addressing risk management in relation to ICT services, ICT risks and ICT TPSPs. Effective risk management under DORA starts with the identification of risks and the implementation of mitigation measures. 

Throughout 2024 financial entities have made significant efforts to comply with these requirements, facing challenges that were unique to their operational scale and complexity. 

Many larger financial institutions, already subject to the EBA Guidelines on Outsourcing Arrangements or the EBA Guidelines on ICT and Security Risk Management or the EIOPA Guidelines on ICT Security and Governance, the EBA Guidelines on Outsourcing to Cloud Service Providers, as well as national IT risk management regulation under CRD IV, may have been familiar with the concept of outsourcing and ICT risk management and had systems in place to address such risks. However, DORA requires a comprehensive ICT risk management framework to be put in place, so the financial entities’ ICT risks need to be addressed holistically. 

For instance, many entities have undertaken extensive analysis of third-party source code and proprietary software for vulnerabilities and anomalies using static and dynamic application testing. As DORA is inherently cross-organisational, this requires many departments in larger institutions to work more closely together than in the past. This involves the engagement of key organisational functions - such as compliance, legal, internal audit, risk management, and general counsel - as well as technical input from ICT experts and consultants. This ensures that the ICT risk management frameworks are aligned not only with market best practice in ICT risk management, but also with strategic and regulatory perspectives.

Given the ultimate responsibility assigned to the Management Body (i.e. Board of Directors) of financial institutions under Article 5(2)(a) of DORA, i.e. its active role in approving, implementing, and overseeing the ICT risk-management framework, this requires the design of a clear and effective delegation of authority/responsibility to senior management and operational functions, as well as well-defined internal governance rules.

Meanwhile, other regulated entities - not previously subject to the guidelines and ICT risk management regulations – faced greater challenges that needed to be addressed from the ground up and from all angles. For example, MiCAR-regulated crypto-asset service providers or ECSPR-regulated crowdfunding service providers need to obtain a license and comply with both MiCAR/ECSPR and DORA at the same time. 

Throughout 2024, we have observed widespread uncertainty regarding DORA compliance practices. Questions often related to the creation and implementation of internal governance documents, incident management protocols for both internal operations and engagements with ICT TPSPs, and approaches to Threat Led Penetration Testing (“TLPT”), to mention a few of the most frequently raised. A recurring issue was how to “translate” DORA requirements into enforceable contractual clauses, a topic - which we discuss in more detail below - that requires careful legal and operational integration. 

In addition, the implementation of DORA was particularly challenging due to the lack of finalised Regulatory Technical Standards (“RTS”) and Implementing Technical Standards (“ITS”). Ambiguities in DORA’s provisions - such as the scope of ICT services - combined with limited supervisory guidance created significant hurdles for entities seeking to establish compliant ICT risk management frameworks.

The status quo: the readiness of financial entities 

While much was unclear at the start of 2024, the publication of the final drafts of the ITS and RTS provided greater clarity, allowing financial institutions and ICT TPSPs to better prepare for DORA compliance. Unfortunately, the industry still faces a lack of precedent as industry standards and supervisory practices have yet to be developed. However, established security standards such as ISO 27001 certification have provided useful guidance for the financial sector's efforts.

Nevertheless, awareness and strategic planning among financial institutions has improved significantly. Both financial institutions and ICT TPSPs have begun, among other things, to identify vulnerabilities, improve testing practices and proactively develop comprehensive operational frameworks. 

A positive trend towards a 'know-your-ICT-provider' approach has been observed, meaning that financial institutions have invested time and resources to better understand both the ICT services integrated into their own operations and the ICT TPSPs on which they rely.

This approach is expected to improve digital resilience and DORA compliance in terms of third-party risk management, while enabling ICT TPSPs to tailor their services more effectively to the needs of financial institutions and DORA requirements. 

However, the level of readiness among financial institutions varies according to their size. Larger financial institutions, which benefit from more advanced digital maturity and existing risk management systems, are ahead of smaller ones in this compliance journey. Nevertheless, both larger and smaller financial institutions continue to face significant challenges related to third party risk management, highlighting critical gaps that need to be addressed in 2025. 

Looking forward: addressing siloed governance and enhancing resilience

Building on lessons from 2024, financial institutions must integrate ICT risk management within overarching corporate governance to avoid the traditional mistake of treating technology as a separate technical domain. DORA emphasizes the ultimate responsibility of Boards of Directors, underscoring the need for top-level engagement in approving, implementing, and monitoring the ICT risk management framework. Institutions that continue to defer legal and regulatory considerations or view them as secondary to technical issues risk compliance gaps. 

Key measures that boards of financial companies should always consider

1. Clear Governance Structures
   
   • Define and document ICT risk management roles and responsibilities, ensuring alignment with DORA.
   • Establish or expand committees dedicated to digital operational resilience, ensuring cross-functional input.
2. Three Lines of Defence Model
   
   • Maintain appropriate segregation and independence among ICT risk management, control, and internal audit functions. 
   • Foster clear authority lines and accountability mechanisms, alongside effective communication channels, to enhance coordination and reduce oversight failures.
3. Board Training and Awareness
   
   • Provide targeted training on ICT risks, regulatory obligations, and evolving threats so that boards can effectively supervise and support ICT risk management strategies.
4. Regular Reviews and Audits
   
   • Conduct scheduled reviews and independent audits to confirm compliance with DORA and address any emerging vulnerabilities.
5. Integrated Technical and Legal Approach
   
   • Coordinate DORA compliance across ICT, legal, and compliance teams to ensure cohesive governance and avoid regulatory blind spots.
   • Align contractual arrangements with DORA requirements, promoting clarity in service-level agreements and vendor obligations.
6. Annual Activity Wheel and DORA Reporting
   
   • Implement an annual plan to review ICT risk classification, update ICT risk-management frameworks, conduct due diligence on new ICT TPSPs, and maintain the Register of Information (RoI).
   • Regularly report on DORA compliance and incident-related costs to boards for strategic decision-making and resource allocation.

As ICT TPSPs are also affected by DORA, albeit indirectly, there is a clear need to implement some measures on the ICT TPSP side as well, such as incident communication routines, audit/review routines, training.

We expect industry practices and supervisory precedents to emerge over the course of 2025. The EBA has already announced that it is working on a revision of the guidelines on ICT and security risk management. Further developments will hopefully also include meaningful implementation of the increasingly convoluted regulatory landscape, including clarity on reporting requirements under different legislation such as PSD2, NIS2 and GDPR. 

One of the key benefits of DORA may therefore be that it opens the possibility of a streamlined, coherent, and therefore more effective, regulatory framework for the most important non-financial risk factor for financial institutions. 

What are the most interesting topics on the contract side?

One of the most interesting challenges we have encountered has been the fact that, as a new EU regulation, there is currently no established practice, or decisions from regulatory authorities, specifying what “good” looks like when it comes to implementing the requirements of Articles 28(7) and 30 (which set out the key changes that need to be made to contracts for the provision of ICT services between financial entities and ICT third party service providers). For the purposes of this article, we shall refer to such changes as the “DORA Contract Changes”).

As a result we are seeing a range of approaches in respect of implementing the DORA Contract Changes: from financial entities seeking to impose the DORA Contract Changes on a verbatim/gold-plated basis into their contracts to ICT third party service providers resisting changes by arguing for a more proportionate approach to be taken by financial entities in light of the nature of the ICT services being provided.

Generally, we have seen issues fall into one of two buckets:

If the DORA Contract Change covers requirements similar to the EBA Guidelines on Outsourcing Arrangements, then we have seen fewer challenges or issues as these requirements are well known in the market and many ICT third party service providers who operate in the financial services sector have had to deal with them already and have consequently updated their terms to meet these requirements.  The only wrinkle to this is the fact that DORA is an EU regulation (and so applies as a matter of law, albeit subject to the proportionality principle) that must be complied with whereas the EBA Guidelines on Outsourcing Arrangements are guidelines and so there was more flexibility as to how strictly they were complied with.

If the DORA Contract Change covers requirements relating to sub-contracting, TLPT and the new termination rights in Article 28(7) then we have seen more debates and negotiations taking place. For example:

• Sub-contracting: one of the most onerous requirements is for the requirements around subcontracting included in Article 30(2)(a) and the associated RTS on subcontracting ICT Services supporting critical or important functions (the “subcontracting RTS”). Under this Article and the subcontracting RTS certain terms from the contract between the financial entity and ICT third party service provider need to be “flowed down” the entire subcontractor supply chain. Many ICT third party service providers have found this flow down requirement problematic (because the further down the supply-chain you go the harder it is for the ICT third party service provider to mandate flow down of terms) and have relied upon the reference in the recitals to the subcontracting RTS on focusing on those subcontractors effectively underpinning the services to argue that such flow down requirements should be limited to the most “material” or “critical” of its subcontractors, as specified in the relevant contract.  In addition, in relation to flow down requirements (focused on material or critical subcontractor subcontracts), we have seen ICT third party service providers adopt a two tiered approach: committing to flow down certain terms (e.g. in relation to ensuring the relevant subcontract has in place appropriate levels of security or monitoring and reporting terms as required by the subcontracting RTS) but then committing to use reasonable endeavours to try to flow down other terms (e.g. in relation to audit, inspection and access rights where many ICT third party service providers are finding it hard to commit that their material subcontractors grant the same rights of audit, inspection and access to the financial entity as the ICT third party service provider grants to such financial entity).
  
  
• Additional termination rights: Article 28(7) sets out additional termination rights to be included in the relevant contracts. The challenge is that the drafting in the Article is unclear and vague. Many financial entities have taken the approach of copy pasting the requirements without considering their intent. However, we are now seeing ICT third party service providers seeking to include the relevant termination rights but in a more precise manner, arguing that the Article 28(7) requirements are based on “general principles” which then need to be interpretated appropriately (and this approach has been accepted by some financial entities).  For example, Article 28(7)(b) is very widely drafted. As a result, we have been seeing ICT third party service providers reframing it to a right of the financial entity to terminate the relevant contract if the ICT third party service provider makes material changes to such contract (which do not adhere to the process for amending or modifying such contract) which impacts the financial entity’s ability to meet its regulatory obligations and, in such circumstances, the parties are unable to agree on a suitable way forward having discussed the issues for an agreed period of time.
  
  
• TLPT: this new obligation imposed on financial entities to pen-test their critical or important functions and secure ICT third party service providers support where necessary has created quite a lot of drafting problems.
  
  1. First, the obligation will most likely apply only to major, large financial entities, but all financial entities whose critical or important functions are supported by ICT services require regulating such support in their DORA addenda. 
  
  
  2. Second, single tenant cloud services providers are very reluctant to agree for pen-tests on their production ICT environments (required by DORA), which may threaten the continuity and safety of their services provided to other clients. 
  
  
  3. Third, even though ESAs adopted RTS on TLPT which contains many detailed pen-testing methodology guidelines and requirements, they are difficult to transpose to currently drafted DORA addenda because the scope, scenarios, safety measures and other characteristics of a particular TLPT will be established at a later stage on a case-by-case basis. 
  
  
  4. As a result, it is difficult to assess ICT third party service providers’ required support, and in response prepare adequate, proportional contractual safeguards. In addition, there is no practice or further supervisory authorities’ guidelines on the potential carve out provided in DORA Art. 26.4 allowing for pooled TLPT carried out by the ICT third party service provider. The exception is commonly used in contracts, but in practice no one knows how to apply it. 
     We now need to wait for the first DORA compliant TLPT to be carried out and officially attested by the competent authorities.

ESA’s and national competent authorities’ readiness

Under DORA, supervisory powers will be held by the ESAs, with previous national cybersecurity specific administrative practice being largely repealed. As the regulatory competences shift to the European level, national regulatory authorities in their preparatory work always had to make their understanding of DORA subject to the final word from the competent European authorities.

In a recent call to the industry, the ESAs urged financial entities and ICT TPSPs to advance their preparations to ensure their readiness to comply with DORA. It has also been announced by some national competent authorities that the national competent authorities will conduct compliance review of financial entities’ readiness shortly after the DORA application date. 

In addition to the above, the ESAs have recently announced the timeline for collection of the RoI, which has been set to 30 April 2025 when the national competent authorities shall report RoI to the ESAs at the latest. The announcement has been followed by some national competent authorities announcing the national timelines for collection of RoI from financial entities, which will be done at some point between mid-March and mid-April 2025 to satisfy the 30 April deadline to the ESAs. Given the short timeline following a recent publication of the ITS on RoI in the Official Journal, there is a criticality to attend this task urgently given the short timeline when RoI is to be reported to the national competent authorities. 

To facilitate knowledge sharing, the ESAs has recently held a dry run exercise where the ESAs shared valuable insights on what to expect when it comes to ESAs collecting the RoI. Among other things, it was confirmed that LEI and EUID are the only identifiers to be used for ICT TPSPs and the subcontractors to ICT TPSPs delivering into critical or important functions or material parts thereof, whereas European ICT TPSPs can be identified by both LEI and EUID, while ICT TPSPs based outside Europe can only be identified by LEI. It was further confirmed that the reported RoI are to be validated to have correct properties upon receipt to be accepted and, if failed validation, the RoI will be sent back to the national competent authority who then will ask the financial entity in question to re-submit a compliant version of RoI. 

Further to the above, ESAs are currently preparing for the evaluation of ICT TPSPs for the purpose of designation as critical ICT TPSPs. In the decision published recently ESAs announced that RoI reported to the ESAs make an important source of information for ESAs to assess the criticality of ICT TPSPs and to make the designation. As of today, there is currently no clarity as to what ICT TPSPs are to be designated as critical, however, the final information on designation is expected to be announced later mid-2025. 

National legal acts supplementing DORA

Being a regulation DORA is a hard law and is to be applied as is in all Member States. However, since DORA does not entail any provisions on penalties, the Member States are empowered to appoint national authorities responsible for supervision of financial entities in terms of DORA compliance as well as having power to issue sanctions for non-compliance. Further, by way of the accompanying DORA Directive (EU) 2022/2556 the existing regulatory framework has partly been addressed with view to DORA’s requirements, implementing the cybersecurity risk management into the existing general European risk management regulation. Some Member States have already adopted national legal acts supplementing DORA, for example adopted in Sweden, Germany (via Finanzmarktdigitalisierungsgesetz). 

Some Member States seem to be late on implementing supplementing rules, but they are expected to follow within short. For example, in Poland the adoption of DORA implementing regulations was postponed by few weeks to align it with also delayed local implementation of NIS2 Directive.

What does this mean?

DORA represents a significant step forward in the EU's efforts to enhance digital resilience within the financial sector that came to highly rely on ICT-services in recent years. Making it an EU regulation is a much-needed step to create a pan-European level playing field, even though we are yet to see the differences in supervisory practices between different Member States and their impact on financial entities. 

While 2024 laid the groundwork for DORA compliance, 2025 will demand a more mature and fully integrated approach. By merging technical diligence with legal, regulatory, and corporate governance considerations, financial entities can move beyond fragmented or siloed ICT risk management and embrace a coherent framework that underscores the Board’s accountability. Such an approach will enable firms—regardless of size—to better manage third-party risks, enhance resilience, and align with DORA’s overarching objective of safeguarding the financial sector against digital threats.

With only a few days left until DORA starts to apply, we highly recommend enhancing the efforts to close possible gaps to adopt a robust, structured approach to meet the obligations in a timely manner.