DORA compliance update: Actionable insights from the latest ESAs announcement

The European Supervisory Authorities (ESAs) have released an important update to support compliance with the Digital Operational Resilience Act (DORA). This update tackles the growing challenges of managing ICT risks and strengthening operational resilience in today's digital financial world.

CISOs, CEOs, and other decision-makers need to understand this update to align their strategies with new regulatory requirements.

This blog breaks down the latest ESA announcement, highlights its key points, and explains what it means for organizations working toward DORA compliance. It also offers practical tips to help decision-makers navigate these changes effectively.

Read also: DORA Steps: A Comprehensive Guide to the Digital Operational Resilience Act

Overview of the ESAs announcement

The ESAs—comprising the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA)—have issued a directive requiring competent authorities to submit detailed registers of information regarding contractual arrangements with ICT third-party service providers.

This directive emphasizes the importance of transparency and accountability in managing third-party ICT relationships, ensuring that financial institutions are adequately prepared to mitigate risks stemming from critical dependencies.

The path leading to the ESAs announcement

The ESAs have been actively developing Regulatory Technical Standards (RTS) to facilitate the implementation of the DORA. These ESA DORA RTS provide detailed requirements to enhance the digital operational resilience of the EU financial sector.

Key developments:

1. First set of ESA DORA RTS (January 2024):

• ICT risk management framework: Detailed elements for managing ICT risks, including a simplified framework for smaller entities.
• Incident classification: Criteria for classifying major ICT-related incidents to ensure consistent reporting.
• ICT third-party policy: Governance and risk management requirements for ICT third-party service providers.
• Information register templates: Standardized templates for maintaining records of ICT third-party service providers.

2. Second set of ESA DORA RTS (July 2024):

• Incident reporting: Content, format, and timelines for reporting major ICT-related incidents and significant cyber threats.
• Oversight activities: Harmonization of conditions for conducting oversight activities.
• Joint Examination Teams (JET): Criteria for determining the composition of JETs.
• Threat-Led Penetration Testing (TLPT): Requirements for conducting TLPT to assess resilience.

3. ESA DORA RTS on subcontracting (July 2024):

• Guidelines for assessing and managing subcontracting of ICT services that support critical or important functions.

Next steps:

The ESAs have submitted these RTS to the European Commission for review and adoption. Financial entities are expected to comply with DORA requirements by January 17, 2025.

Entities should proactively assess their ICT risk management frameworks, incident reporting procedures, and third-party service provider arrangements to ensure alignment with the upcoming standards.

Staying updated about these developments is crucial for financial institutions to strengthen digital resilience and meet EU regulations.

Read also: Streamline compliance with dashboards and reports

Key components of the ESAs announcement

The ESA directive explains the timelines, reporting schedule, and steps for submitting information registers. Following these rules is key for authorities and financial entities to meet DORA requirements, ensuring the EU financial system remains stable and secure.

1. Timelines and deadlines

• Initial submission: Competent authorities must send the first set of information registers to the ESAs by April 30, 2025. This starts the monitoring of critical ICT third-party service providers.
• Ongoing reporting: After that, submissions will happen annually, with exact dates provided by the ESAs. Regular reporting helps keep track of ICT third-party risks.

2. Reporting frequency

• The directive requires information registers to be submitted once a year. This allows data to be updated regularly, reflecting any changes in contracts or the status of ICT third-party service providers.

3. Procedures for submission

• Standardized templates: TESAs will provide templates for competent authorities to ensure all necessary data is included in a consistent format.
• Submission channels: Authorities must use secure submission methods to keep the data safe and private.
• Data validation: Before sending, authorities must check that all information is complete and accurate to ensure its reliability.

4. Content of information registers

The registers should include:

1. Contract details: Information about the services provided by ICT third-party providers, contract duration, and any subcontracting.
2. Service criticality: Highlighting services that are essential to the financial entity's operations.
3. Incidents and risks: Documenting issues or risks related to the ICT providers' performance for better oversight and risk management.

Listen to: De*Romanticizing the Cybersecurity Complexity

Implications for CISOs and CEOs

The ESAs announcement brings critical implications for CISOs and CEOs tasked with navigating the complexities of DORA compliance.

For CISOs, this announcement underscores the importance of integrating operational resilience into cybersecurity strategies.

CEOs, on the other hand, must view compliance as a strategic imperative, recognizing its role in safeguarding the organization's reputation and financial stability.

It is not merely a regulatory requirement but an opportunity to enhance resilience and build trust in an increasingly digital financial ecosystem.

Key areas of focus include strategic planning and operational adjustments to meet the newly established reporting framework.

Strategic planning

1. Risk assessment:

• Organizations must conduct a comprehensive evaluation of their current ICT third-party dependencies.
• This involves identifying providers whose services are critical to operations and could pose significant risks if disrupted.
• Risk assessments will help prioritize efforts and prepare for the designation of critical service providers under the ESA directive.

2. Resource allocation:

• Ensuring compliance with the reporting requirements necessitates a commitment of resources, including financial investments and personnel.
• Dedicated teams may need to be established to handle data collection, reporting, and engagement with competent authorities.
• Timely resource allocation will be essential to meet the April 30, 2025, deadline and sustain ongoing compliance efforts.

Operational adjustments

1. Data management:

• The directive highlights the need for robust data collection and reporting mechanisms that align with ESA standards.
• This includes implementing systems to gather, validate, and securely store information about contractual arrangements with ICT service providers.
• Automating data processes can enhance accuracy and efficiency while reducing manual errors.

2. Vendor management:

• Organizations must reassess their existing contracts and relationships with ICT service providers to ensure alignment with DORA's oversight framework.
• This may involve renegotiating terms, enhancing service-level agreements (SLAs), and verifying the criticality of services provided.
• Strengthened vendor management practices will help maintain compliance and mitigate risks associated with third-party dependencies.

Read also: 5 Ways Automated Compliance Checks Help CISOs Manage Their Workload

Actionable steps for compliance

To meet the ESA directive and align with DORA requirements, organizations must take a phased approach to compliance, addressing immediate, mid-term, and long-term priorities. These steps will enable CISOs and CEOs to build the necessary frameworks and processes to meet regulatory expectations effectively.

Immediate actions

1. Internal audit

• Conduct a detailed review of all ICT third-party service providers to assess their criticality to your organization's operations.
• Identify service providers whose disruptions could pose significant operational or financial risks.
• Document findings in a structured format to support subsequent reporting and compliance efforts.

2. Policy updates

• Update internal policies to reflect the ESA's requirements for data reporting and quality assurance.
• Include protocols for identifying and designating critical ICT third-party providers, as well as ensuring accurate and confidential data reporting.
• Align policies with broader organizational resilience and cybersecurity strategies to create a cohesive compliance framework.

Mid-term strategies

1. Training programs

• Design and deliver training sessions for key personnel involved in vendor management, compliance, and IT operations.
• Focus on DORA-specific requirements, the ESA reporting framework, and data validation standards.
• Regularly refresh training materials to incorporate updates from regulators or internal process changes.

2. Technology investments

• Explore and implement compliance management tools to automate the collection, validation, and reporting of ICT third-party data.
• Leverage risk management platforms to monitor vendor performance and identify potential compliance gaps.
• Ensure any new technology investments prioritize scalability and secure data handling in line with DORA's expectations.

Long-term considerations

1. Continuous monitoring

• Develop robust systems for ongoing oversight of ICT third-party service providers to ensure they consistently meet performance and compliance standards.
• Utilize automated tools or dashboards to track metrics such as service availability, incident reports, and adherence to SLAs.
• Incorporate feedback loops to adapt monitoring practices to evolving regulatory requirements.

2. Stakeholder communication

• Establish clear channels for communication with internal and external stakeholders, including regulators and ICT service providers.
• Stay proactive in engaging with regulators to remain updated on changes or clarifications regarding DORA compliance.
• Foster transparency within the organization to build a culture of accountability and preparedness for future regulatory shifts.

By implementing these steps, organizations can achieve compliance with current ESA directives. They can also build a resilient and adaptable foundation for long-term operational resilience and regulatory alignment.

Read also: How Scrut helps achieve compliance with DORA

Winding up

The ESA's announcement is a key milestone for DORA compliance, focusing on resilience and managing ICT risks in the financial sector. For CISOs and CEOs, this isn't just about meeting regulations—it's a chance to improve transparency, trust, and operational strength.

By adopting proactive strategies and aligning with the ESA framework, organizations can meet compliance deadlines and create a strong, future-ready foundation. Taking on this challenge now ensures long-term stability and leadership in the changing digital world.

Ready to simplify your path to DORA compliance?

Scrut makes DORA compliance effortless with automated tools for risk management, vendor assessments, and regulatory reporting. Stay ahead of deadlines, streamline ICT third-party oversight, and build operational resilience—all in one platform.

Talk to our experts today and get started on achieving DORA compliance with confidence.

FAQs

What are the key points of the DORA Act? DORA ensures financial entities in the EU can withstand ICT disruptions through robust risk management, incident reporting, oversight of third-party providers, and threat-led penetration testing.

What is ESA from DORA? ESA DORA refers to the European Supervisory Authorities' role in developing Regulatory Technical Standards (RTS) and guidelines for implementing the Digital Operational Resilience Act.

What is the DORA regulation 2025? DORA, effective January 17, 2025, mandates EU financial entities to enhance ICT resilience, monitor risks, and comply with standardized reporting and third-party oversight requirements.

What are the reporting requirements for DORA? Financial entities must report ICT-related incidents, maintain registers of third-party contracts, and comply with ESA-defined formats, timelines, and validation procedures.

What are the five pillars of DORA? The five pillars are ICT risk management, ICT incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing.