With the Act approved, the EC and ESAs have foreseen a period of two years (2023 & 2024) for companies to prepare for DORA and implement it. This period will see ESAs further defining the needed RTSs and making requirements more concrete. It will be a crucial time for companies to align their governance and practices to DORA's resilience pillars and to identify a roadmap with key deliverables to materialize their digital resilience strategy. They can do this through an initial gap assessment, starting with an analysis of the company profile. The gap assessment will also define the current level of maturity, including the compliance with existing guidelines (most common references include ESA Guidelines, NIS, CROE, etc.) and with existing IT Risk Management Strategy and standards (such as ITIL, COBIT, NIST CSF, ISO, etc.). This will help identify a delta in DORA requirements and lay out a roadmap analyzing the priorities and efforts needed to constitute a sound Digital Resilience Strategy and framework. Note that, during this period, the Regulators will further define new Regulatory Technical Standards (RTSs) and Implementation Technical Standards (ITSs). It is crucial for the strategy and newly defined framework to be sufficiently agile in order to welcome these new standards.
Beginning of 2025, the Act will come into force. This means that ESAs will expect the mandatory reports outlined by DORA to be available upon their request, and will use them to assess any gaps in the market. During this timeframe, companies should focus on maturing the Digital Resilience Framework. They should also, by then, be prepared to perform the mentioned annual evaluations, testing and reports. By the end of 2025, mandatory penetration testing will come into force, and certification by ESAs will have to be obtained.
Regulators confirmed that DORA will by default become the “lex specialis”, preceding any overlapping regulatory texts such as NIS or ESA guidelines. Companies should keep this in mind when performing an internal check of their regulatory compliance and use DORA as the main reference to avoid further unforeseen gaps when DORA comes into force in 2025.
More resilient companies, but at what cost?
The requirements and expectations laid out by DORA will impact the market as a whole. Becoming digitally resilient may represent a costly endeavor for certain actors and, while DORA will translate into a more robust market, companies are rightfully concerned about the financial implications of such a regulation, particularly on SMEs.
Regulators have foreseen the concept of proportionality in the application of such texts to tackle these concerns. To establish a safer and more competitive market, ESAs, when regulating financial entities, will consider aspects such as the company size, its complexity and the services provided . Besides size and complexity, there is another determining factor that provides some insight into the financial implications of DORA, which is the maturity profile and level. Companies with lower maturity in their governance and internal practices will have to further invest resources and money to acquire the capability and capacity to answer to the challenge DORA represents. Tackling this at an early stage is key in succeeding, as a reactive approach will always be more costly than a preventive attitude.