The new policy package primarily addresses the reporting framework for ICT-related incidents and threat-led penetration testing. It also introduces requirements for designing an oversight framework aimed at ensuring the continuous and uninterrupted provision of financial services and safeguarding customer data.
One of the main challenges EU financial firms face when implementing DORA is how they should approach subcontracting. The ESAs were expected to finalize additional regulatory technical standards (RTS) on subcontracting ICT services supporting critical or important functions by 17 July 2024. However, in their press release for the second batch, the ESAs state that this remaining RTS will be published “in due course”.
All DORA requirements are set to apply on 17 January 2025, leaving firms less than six months to comply. Despite some concerns in the industry about the remaining work, the ESAs have reiterated that they do not have a mandate to introduce transitional provisions to smooth DORA implementation beyond this date.
In summary, the second batch of policy products under DORA marks a critical step towards strengthening the digital operational resilience of the EU’s financial sector. However, the delays in finalizing some technical standards pose a challenge for firms racing against the clock to meet the January 2025 deadline. With these new standards and guidelines, the ESAs are paving the way for a more secure and resilient financial ecosystem in Europe.
In any case of questions, please contact our Chief Information Security Officer Sabika Ishaq, or our Senior Information Security Manager, Magdalena Mihalcea.
