3 Steps to Take to Meet DORA Compliance Before April 30, 2025

Chief Information Security Officers (CISOs) face an important milestone on April 30th, 2025: ensuring their organizations are ready to meet the strict requirements of the EU’s Digital Operational Resilience Act (DORA). By April 30th, companies must have established comprehensive registers of information related to their Information and Communication Technology (ICT) services. This involves not only compiling accurate data but also engaging effectively with National Competent Authorities (NCAs) to ensure timely submission to the European Supervisory Authorities (ESAs). This is yet another priority for CISOs working to safeguard their organizations against potential regulatory oversight.

An intro to DORA compliance

DORA is a regulation that covers financial entities and their ICT service providers which took effect on January 17, 2025. DORA’s scope extends beyond the EU, affecting financial entities and ICT providers operating within the EU or providing services to EU financial institutions. For CISOs, this regulation requires the creation of detailed registers of information related to ICT services, ensuring that these entities can withstand and recover from disruptions.

By focusing on resilience rather than mere protection, DORA requires CISOs and their organizations to reassess their risk management policies, incident management frameworks, and contractual agreements with ICT service providers. This shift potentially improves the security posture of financial institutions and also prepares them for the increased scrutiny and potential penalties associated with non-compliance.

Step 1. Establish registers of information

Creating comprehensive ICT service registers is a key requirement under DORA. These registers must clearly describe the functions and services provided by ICT third-party service providers, specifying any subcontracting permissions and conditions. The geographical locations where services are delivered and data processed, including storage sites, must be documented, with any changes communicated in advance. Provisions for data protection, covering availability, authenticity, integrity, and confidentiality, are essential, alongside measures for data access, recovery, and return in case of provider insolvency or contract termination.

Service level agreements, including performance targets and updates, form a critical part of the register, ensuring that financial entities can monitor and address service delivery effectively. Additionally, the registers should outline the obligations of ICT providers to assist during incidents and cooperate with authorities, as well as termination rights and notice periods. The EU has previously published a set of data validation rules for these registers.

Financial entities should also establish a process for regular updates to the register, reflecting any changes in ICT services or providers. This ongoing process ensures the data remains current and aligns with DORA’s requirements for operational resilience. By maintaining clear communication channels with ICT providers and implementing a structured approach to data management, financial entities can effectively meet DORA’s compliance standards.

Step 2. Proactively engage with national competent authorities (NCAs)

NCAs are the primary regulatory bodies responsible for overseeing the adherence of financial entities to the regulation’s requirements. They are tasked with ensuring that entities establish and maintain accurate registers of ICT services, which are required under DORA. NCAs provide guidance to financial entities which can be used to interpret and implement DORA’s provisions effectively. They also facilitate communication between financial entities and ESAs, ensuring that the information is submitted accurately and on time. By conducting regular audits and inspections, NCAs help to assess the compliance status of financial entities, identifying any gaps or areas for improvement. This oversight helps maintain a high standard of digital operational resilience across the financial sector. Engaging proactively with NCAs allows financial entities to clarify expectations, receive timely feedback, and address any compliance issues before they escalate.

Effective communication and collaboration with NCAs will be essential for financial entities to meet DORA’s compliance requirements. Establishing clear and open lines of communication allows regulated entities to stay informed about regulatory updates and expectations. Regular meetings and consultations with NCAs can help clarify compliance requirements and provide opportunities for feedback on implementation strategies. Financial entities should also designate a dedicated liaison or team responsible for managing interactions with NCAs, ensuring consistency and continuity in communication. Sharing relevant information promptly and transparently, such as updates on ICT service registers or incident reports, fosters trust and shows a commitment to compliance. Additionally, participating in workshops or training sessions organized by NCAs can enhance understanding of regulatory expectations and facilitate knowledge sharing.

Step 3. Submit to the registers of ICT third-party providers’ contractual arrangements to the European supervisory authorities (ESAs)

The submission process to the ESAs under DORA involves a structured timeline and specific requirements that financial entities must adhere to. By April 30, 2025, NCAs are required to submit the registers of ICT third-party providers’ contractual arrangements to the ESAs. This means that financial entities will need to have their registers ready before April 30th to allow for any necessary reviews or updates. The registers must include the aforementioned details about ICT services, including data processing locations, subcontracting arrangements, and service level agreements. Entities should ensure that all information is accurate and up-to-date, reflecting any changes in service agreements or provider details. The submission must also be formatted according to the guidelines provided by the ESAs.

One significant challenge for regulated entities will be ensuring the accuracy and completeness of the ICT service registers, which requires careful data collection and verification. To address this, entities should implement a robust data management system that allows for regular updates and audits of the information.

Another challenge is meeting the rapidly approaching deadlines for submission, which can be mitigated by establishing a clear timeline and assigning dedicated teams to oversee the preparation and submission process. Communication gaps between financial entities and their ICT service providers may also pose difficulties, making it important to maintain open and ongoing dialogue to ensure all parties are aligned with the requirements. Finally, understanding the specific formatting and content guidelines set by the ESAs can be complex, so entities should seek clarification from NCAs and consider taking part in workshops or training sessions.

Ensuring ongoing compliance and resilience

As with many things in cybersecurity, this is a process, not a project. Financial entities must establish a systematic approach to review and update their ICT service registers regularly to reflect any changes in service agreements, provider details, or data processing locations. This involves setting up a schedule for periodic audits and updates, ensuring that all information remains current and accurate. Entities should also implement a change management process to capture any modifications in ICT services promptly, including new subcontracting arrangements or changes in service level agreements. Engaging with ICT service providers to verify and confirm updates is essential, fostering a collaborative approach to maintaining data integrity. Additionally, entities should document any updates and maintain a clear record of changes to facilitate transparency and accountability.

Similarly, continuous engagement with NCAs and ESAs will be essential for maintaining compliance under DORA. This involves establishing regular communication channels to stay informed about regulatory updates and expectations. The GRC maturity model describes a structured approach for organizations to manage relationships with regulators. By implementing standardized processes, organizations can ensure consistent and effective communication with these regulatory bodies. Proactive engagement allows organizations to anticipate regulatory changes and align their strategies accordingly. Comprehensive documentation and record-keeping facilitate transparency and accountability, which are crucial in regulatory interactions. Advanced technology integration further enhances the efficiency of managing regulatory relationships, enabling organizations to respond swiftly to inquiries and maintain compliance with regulatory requirements. This approach supports organizations in building strategic and collaborative relationships with NCAs and ESAs.

Looking ahead: what to consider

As organizations look to the future, preparing for upcoming regulatory changes will be crucial for maintaining compliance and resilience. Staying informed about potential updates to regulations like DORA is essential, as these changes can impact operational processes and risk management strategies. Financial entities should monitor regulatory developments and participate in industry forums or working groups. This engagement allows them to plan for changes and adapt their strategies accordingly. Building flexibility into compliance processes can help organizations adjust to new requirements without significant disruption. And fostering strong relationships with regulatory bodies, such as NCAs and ESAs, can provide valuable insights and guidance on future regulatory trends. This will help organizations to remain agile and responsive to the increasingly complex regulatory landscape.