Introduction 

Now that DORA is applicable to EU financial entities as of 17 January 2025, the focus for them has swiftly moved to “Day 2” priorities.  For critical ICT third-parties, most have a strong sense that they will be subject to the Oversight Framework and accordingly have for some time now been seeking to ensure their own high level of digital operational resilience in line with DORA.

EY recently hosted a unique event on 5 February 2025 and were joined by the Central Bank of Ireland (CBI), a soon-to-be-designated critical ICT third-party provider (CTTP) and a major credit institution to discuss the current state of DORA, the “Day 2” priorities, the CBI’s approach to DORA supervision and how CTTPs are preparing for DORA and the future state of the financial services industry.  Detailed below are the main takeaways and learnings discussed at the event.

DORA – a business imperative and a multi-year journey

EY opened the event by underlining that digital resilience is no longer a compliance exercise or an issue for the IT function, it is a business imperative. Roles and responsibilities must be clear across the organisation, not just in IT, and digital resilience must be engrained in the business strategy.

DORA is also not a one-off compliance or “tick-box” exercise. If financial entities take this mindset, it will lead to their programmes ending up at “the point of inadequate outcome”, with manual and decentralised processes, which is not the objective of DORA.

Financial entities must be approaching DORA as a multi-year continuous journey, strategically transforming the organisation towards longer term sustainable technology and data solutions in the business as usual (BAU) operating model to ensure sustainability and continuous compliance.  To achieve this, scalability, automation and innovation will be essential.

Current state – Market insights

EY conducted a recent survey which assessed the expected compliance of a wide range of financial entities ahead of 17 January 2025.  The following key points were noted:

1. The highest area of expected compliance was that of the RTS on ICT Third-party Policy with 98% of financial entities expecting to by fully compliant.
2. Across the Digital Operational Resilience Testing (DORT) pillar 75% expect to be fully compliant.
3. Unsurprisingly, the lowest figures were with the RTS on subcontracting (35%) and given its delays as well as its recent rejection by the European Commission, these figures are unlikely to increase in the near future.
4. 50% of financial entities stated compliance with the ITS on the Register of Information (ROI) showcasing a need for urgency with the April 2025 submission deadline to CBI looming for Irish financial entities.
5. Across the entire Level 1 text, 67% of financial entities deemed themselves to be compliant.

The key learning from this survey is that, although financial entities have completed some of the groundwork by now, they next need to continue their efforts to reach minimum mandatory compliance as part of a multi-year transformation towards embedded digital resilience.  To this end, firms must take a structured, phased approach to compliance balancing immediate regulatory needs with long-term digital resilience goals.

DORA now (2025)

EY presented a 1, 2 and 3+ year view on the DORA journey which financial entities are currently undertaking.  Looking at the “now”, the key message is achieving immediate compliance readiness or “minimum mandatory compliance”.  Financial entities should have comprehensive gap analysis with Board-approved remediation plans in place, with an approved ICT Risk Management Framework and a Digital Operational Strategy in place.  The major ICT-related incident classification and reporting process should be defined and in place as this is a mandatory reporting requirement since 17 January 2025.  Financial entities should be performing risk-based contract remediation and have made progress in the area of the RoI and its completion.  Critical or Important Functions (CIFs) should be mapped and be linked to the requirements under the DORT pillar.  Overall governance and operating model design should be complete and training requirements established and in train.

DORA next (2026)

Moving into 2026, financial entities should be achieving operational maturity.  A key recommendation to provide comfort in the financial entity’s DORA compliance is to commission an independent review of the financial entity’s DORA programme (current state and future state).  The key “Day 1” requirements should be embedded within the organisation, in particular, the ICT RMF and DOR Strategy.  Financial entities should expect supervisory activities and oversight to have commenced or commence in the near future.  Testing under DORT should be increasing in complexity and scenarios should be refreshed and reflect lessons learned.  Subcontractor management, oversight and monitoring should be embedded in the organisation and contract remediation efforts complete.  Financial entities should be reviewing their DORA capabilities and resources and securing budget as required in line with their overall DOR strategy.

DORA beyond (2027+)

As DORA moves into the future, financial entities should have embedded sustained digital operational resilience across their organisation.  Financial entities should be looking at enterprise resilience (i.e. across the organisation) and resilience by design and in particular across their CIFs.  This should include an Enterprise Resilience Strategy which sets out the need for a long-term resilience roadmap, considering operational resilience, digital operational resilience and third-party management. Reporting should be integrated across the various requirements using common data sets, processes and tools with automated major incident management classification and report creation.  Automation should feature heavily across Third-Party Risk Management process, in particular, third-party risk assessments.  Financial entities should be considering emerging technologies as part of their digital operational resilience strategy, such as Artificial Intelligence (AI), to automate processes such as ICT Risk Management, Incident Management, ICT Asset Management, Threat Intelligence and Third-Party Risk Management.

Emerging challenges

As the industry continues to get to grips with DORA, a number of key challenges have been emerging. These include the requirements relating to ICT sub-contractors and subsequent contractual changes, the need to properly assess capabilities and resources required to support ongoing DORA activities.  Across the scope of DORA, a common theme is the level of external dependencies which exist, in particular, financial entities are hugely reliant on ICT third-parties to engage and be proactive in their interactions, in particular around the RoI and ICT third-party requirements.

Central Bank of Ireland updates

The CBI gave a number of key updates from both a timeline perspective and practical supervision point of view.  Key to this is the establishment of the new Governance, Operational Resilience and Risk Management (GORM) Division, which aims to provide horizontal and vertical supervision of DORA in Ireland.  As part of this new division, a dedicated Operational Resilience and Incident team is now in place.  Their role will include the monitoring and analysis of all major incidents which are reported under DORA.  CBI noted that 4 such major ICT related incidents have occurred since 17 January 2025 to date.  Early insights from the CBI in relation to this reporting is that financial entities are understandably taking a cautious approach in reporting incidents, and that in some cases, the incident did not meet the classification criteria. It was also confirmed that all inspections will be conducted in line with DORA as they move forward, including thematic reviews and new authorisation processes.

Critical ICT third parties

The CTPP outlined their approach to DORA, which is built based on three pillars: direct engagement with regulators, partner with customers and integrate built-in capabilities to meet the needs of the industry.  Over the last few years, they confirmed that they have been working closely with the ESAs on DORA and confirmed that although they were informally notified that they will likely be designated as a CTPP by the ESAs, this designation is expected formally in October of this year. It was also clear that this kind of oversight is not “net new” for the organisation and is something they engage regularly with at both an EU and global level continuously.

Q&A

A brief Q&A panel was held with all speakers and open to those attending. A number of key areas were touched on and insights shared across the panel.

Financial Service versus ICT service

The first key area relates to the hotly debated topic of what is an “ICT service” versus a “financial service”.  This was recently answered by the EC in a public open ESA Q&A item; however, the sense was this left the industry with little clarity.  It is clear that the need for an assessment of each service is required to truly understand and allow financial entities to confidently stand over their conclusion.  The guidance provided in the Q&A is for financial entities to complete a two-step check on each service to understand if it is a financial service or an ICT service which falls into the scope of DORA. These steps are:

1. Does the service qualify as an ICT service under DORA (Article 3(21))?
2. Are the financial provider and its financial service being provided regulated under EU, Member State, or third-country laws?

If both conditions are met, the ICT service is considered predominantly a financial service and falls outside the DORA ICT services definition.  On the other hand, ICT services that are unrelated or independent from regulated financial services remain subject to DORA as an ICT service.

As always, independent Legal advice is recommended.  The wider audience also agreed it was an area which could benefit from additional guidance from CBI in the form of an FAQ response on their webpage.

Critical or Important Functions versus Critical Business Services

As always, the topic of Operational Resilience and Critical Business Services (CBSs) versus DORA and Critical or Important Functions (CIFs) was raised.  Whilst Operational Resilience compliance efforts and CBSs are a good start, CBI acknowledged that this is not sufficient to be simply repurposed to cover DORA’s CIFs.  A distinct difference exists both in definition and scope between the two and firms must come to grips with this in order to ensure adequate coverage required by DORA. While some might consider that a CIF, or multiple CIFs, may exist within a CBS, DORA has a broader scope and harm criteria for financial entities to consider, including consideration of internal activities not related to customer activities, which could materially impact the operation of the organisation or could lead to licence compliance or national law breaches.

Register of Information

With the deadline for the submission of the RoI to the CBI now set as 4 April 2025, financial entities are turning their attention to populating their registers.  A question was posed to the CBI to understand if they will be providing guidance on the CBI portal which will be used for submission and also if there will be a “dry run” where financial entities can test the portal to see if their reporting is accepted by the CBI portal before final submission.  Finally, there was a query to the CBI to understand when the portal would be open, and if it has been sufficiently stress tested to ensure it is capable of operating the level of traffic expected on 4 April 2025.  The CBI responded to state that these were all good suggestions that they will consider ahead of the 4 April 2025 submission deadline.

Threat-Led Penetration Testing (TLPT)

Finally, the topic of TLPT was a topic of concern for those present.  Specifically, attendees raised queries in relation to pooled testing and the practical elements that come along with this.  While it is not yet clear how the National Competent Authorities (NCAs) will approach pooled testing, it was noted that there will be very specific scenarios where pooled testing will be allowed, considering the financial entities, NCAs, services and CIFs that are involved. CBI did note that NCAs across the EU are in agreement that they will not engage with financial entities on TLPT until the RTS has been finalised and published, which means organisations can expect engagement on this in Q3 2025.

The difficulty of completing TLPT is increased, of course, if a third-party is designated a CTPP in due course.  Undoubtedly, this area will only clarify itself as financial entities and third-parties move to BAU and move to establish best practice and ongoing relationships in the area.

Conclusion

The key takeaways from this event are that organisations, including financial entities and ICT service providers, have made significant progress in laying the groundwork for DORA and implementing key artefacts such as the ICT Risk Management Framework and Digital Operational Resilience Strategy to meet minimum mandatory compliance. However, there is still a lot of uncertainty in the market due to the current status of the technical standards and lack of clarity provided in Q&A responses from the ESAs and CBI.  As financial entities continue their remediation roadmaps, it is critical that they engage with their peers in the market, their NCA, and also seek external guidance and support to ensure their programme remains on track to achieve compliance.  It is also vital that DORA is not seen as a once-off compliance exercise and that organisations seek to leverage DORA as an opportunity for strategic transformation and a move towards Enterprise Resilience.

How can EY help?

As always, EY are well-positioned to support financial entities on their DORA compliance journey.  As financial entities move from the gap analysis phase of their programme into implementation and operationalisation, an independent review of the DORA programme and of the DORA gap analysis can help an organisation in course-correcting the programme or providing comfort to the Board in the approach taken.

Financial entities are now focused on the next deadline for DORA, which is the submission of the Register of Information.  Many financial entities are grappling with the complexities of this requirement and EY can support in design and implementation of the RoI, or completion of an independent review to provide comfort that the RoI is designed in line with the data point model provided by the ESAs and will be robust enough for eventual CBI submission.

EY are supporting our clients on all aspects of their DORA compliance ranging from Transformation/Implementation support to Strategy and Operating Model through to Automation and Technology.  If you are interested in hearing more, please feel free to reach out directly to me or a member of the EY team.