A Digital Resilience Deadline Looms: DORA's January Challenge

The clock is ticking for the European financial sector. On 17 January 2025, the Digital Operational Resilience Act (DORA) becomes binding across the European Union, setting a new benchmark for digital resilience in financial services.

Designed to safeguard the sector from technological disruptions, DORA’s sweeping requirements promise to bolster resilience—but with just days to go, the financial industry faces a daunting challenge of compliance.

Recent statements from European Supervisory Authorities (ESAs) underscore the urgency of the task, with little room for leniency on the deadline. But with its 500-plus requirements and tight timelines, how prepared is the sector to meet this watershed moment?

A Strict Stance from Regulators

For firms hoping for a phased enforcement period, the ESAs have made their position clear: no grace period. Instead, full compliance is expected by day one.

However, given the act’s complexity, some enforcement nuances are likely. Many regulators will have to take a targeted approach, prioritizing significant and visible breaches due to limited bandwidth and expertise.

At the center of this effort is the register of information, a critical tool enabling regulators to identify key third-party suppliers and assess their resilience. The final implementing regulation for these registers was only published in December 2024, leaving institutions little time to prepare.

Despite the ESAs’ argument that drafts have been available since January 2024, the timeframe remains tight, prompting organizations to adopt pragmatic, risk-based strategies.

The ESAs’ focus is clear: accuracy and technical compliance matter most. This includes ensuring registers use proper naming conventions and formats, and that they comprehensively cover the most critical IT providers.

A Fragmented Readiness Across Sectors

While some organizations are better positioned to meet DORA’s requirements, readiness varies significantly across sectors.

Banks and insurers, already governed by robust outsourcing and ICT guidelines such as those from the European Banking Authority (EBA), appear relatively prepared. These entities submitted registers with five times more data points on average than alternative investment fund managers during a recent ESA “dry run.”

By contrast, alternative investment fund managers and smaller institutions, with less mature compliance frameworks, face greater challenges. The divergence highlights how existing regulatory landscapes have shaped readiness, with heavily regulated sectors gaining a head start while others scramble to build their compliance infrastructure.

Member States’ Varied Enforcement

Although DORA aims to create a unified standard across the EU, its enforcement is expected to vary by country. For instance:

• Luxembourg: Regulators here have preemptively implemented DORA-inspired rules, including detailed consultations on readiness. Expectations for compliance are high.
• Austria, Malta, and Hungary: These jurisdictions emphasized participation in the ESA dry run, suggesting regulators in these regions are actively preparing to enforce the act.
• Other Member States: Some countries have yet to transpose Directive 2022/2556, which introduces DORA-related amendments into national financial laws, potentially leading to uneven enforcement across the EU.

This fragmented approach places an additional burden on multinational firms, which must navigate differing national expectations while meeting DORA’s stringent requirements.

Contractual Challenges in Third-Party Oversight

One of DORA’s most significant hurdles lies in third-party risk management, a cornerstone of its framework. Financial institutions must review and update contracts with all critical third-party providers to ensure compliance with DORA’s provisions.

These include:

• Performing due diligence on suppliers before entering agreements.
• Assessing concentration and operational risks.
• Ensuring third-party providers meet strict security requirements.

For larger institutions, this is a herculean task. Major banks often manage up to 1,000 critical and material third-party contracts, each requiring review and potential renegotiation.

In October, the European Central Bank (ECB) issued “Dear CEO” letters reiterating that all contract negotiations must be completed by the January deadline. However, many institutions are adopting proportionate approaches, prioritizing the most critical contracts first and deferring others for phased implementation throughout 2025.

Non-EU Institutions and the Global Implications

DORA’s scope extends beyond the EU. Any non-EU financial institution that operates within the EU or serves one of its 22,000 financial entities must comply with the regulation. However, anecdotal evidence suggests that non-EU banks are slower to act.

For many, DORA is just one of several regulatory regimes, leading to de-prioritization in favor of more pressing compliance needs.

Smaller institutions outside the EU may also escape immediate scrutiny, as regulators are likely to focus on larger, EU-headquartered firms.