DORA entered into force on 17 January, together with new requirements for operational digital resilience within the financial sector and rules on the provision of ICT services in the financial market.
The final versions of the implementing acts for DORA are also expected to be published in the near future. According to current plans, a draft law implementing DORA, which will regulate the supervision of the Polish Financial Supervision Authority (KNF) in this area, should reach the Sejm (the lower house of the Polish Parliament) in the first quarter of this year.
DORA requirements for the financial sector
Under the new rules, financial institutions must meet new obligations, including in the following areas:
- ICT risk management, i.e. the development of robust mechanisms for identifying, assessing and monitoring digital risks
- ICT incident management, classification and reporting, i.e. appropriate procedures for responding to and reporting incidents
- Testing operational digital resilience, i.e. ensuring regular reviews of the effectiveness of security systems and crisis management
- Managing the risks posed by ICT third-party service providers, i.e. ensuring security throughout the supply chain
To this end, financial institutions must ensure adequate internal preparation in terms of applicable policies, procedures, records or documentation (as required by the relevant Regulatory Technical Standards – RTS) and external preparation covering the security of contractual relationships with ICT service providers.
Has the financial sector managed to implement DORA
Although formally the financial sector should be ready, the fact that the adaptation processes have involved hundreds of documents and contracts means that many firms may still not be fully prepared. In addition, new sets of Q&As and authority positions on the application of DORA have been published, such as those on the exemption of ICT services related to regulated financial services from the DORA regime.
The remediation of supplier contracts is also a time-consuming process. This is because compliance depends on the other party and the length of associated negotiations.
One of the most common problems is the regulation of subcontractors and the imposition of additional obligations on ICT suppliers. The fact that the RTS on subcontracting have not yet been officially adopted does not make it easier for the parties to reach an agreement. In addition, for existing cloud contracts, DORA expands the definition of subcontractor used to date, which stems from the now repealed Cloud Computing Communication.
DORA – post-implementation compliance audits
Before 17 January 2025, financial institutions were racing against time to implement all the requirements of DORA, often overlooking more or less important issues.
In the interests of due diligence, it is therefore worth re-mapping any gaps and taking appropriate corrective action. A post-implementation compliance audit can be a solution.
As part of a compliance check, the post-implementation audit should cover not only the review and possible adjustment of internal procedures and policies, the verification of the accuracy of the register of information, the qualification of suppliers and the contracts concluded with them but also the actual implementation of the relevant processes and compliance with all the requirements set out both in the DORA itself and in the implementing acts.
Any questions? Contact us
