Preparation for DORA application

The Digital Operational Resilience Act (DORA) will become applicable on 17 January 2025. From that date all financial entities in its scope will need to have a comprehensive register of their contractual arrangements with ICT third-party service providers available at entity, sub-consolidated and consolidated levels. 

The registers will serve for:

  • financial entities to monitor their ICT third-party risk, 
  • the EU competent authorities to supervise ICT and third-party risk management at the financial entities and 
  • the ESAs to designate the critical ICT third-party service provides (CTPP) which will be subject to an EU-level oversight.

To help financial entities be ready with the preparation and submission of their registers of information from January 2025, the ESAs and competent authorities will carry out a dry run exercise on a best-efforts basis in 2024.