---

No DORA grace period for finance firms

Lawyers at McCann FitzGerald have warned that there will be no transitional period for financial firms ahead of the introduction of new EU legislation on digital operations. 

The EU rules aim to increase the resilience of the European financial market and reduce the risk of cyber-attacks. 

In a note on the firm’s website, the McCann FitzGerald lawyers highlight a statement from the European Supervisory Authorities (ESAs) last month on the Digital Operational Resilience Act (DORA). 

Readiness 

The statement reminded in-scope financial entities and ICT third-party service providers of the 17 January deadline and advised them to step up their DORA readiness preparations. 

It also reminded financial firms that they must have a ‘register of ICT third-party contractual arrangements’ available for competent authorities, such as the Central Bank, in early 2025. The competent authorities will, in turn, need to report these to the ESAs by 30 April. 

McCann FitzGerald also notes that the ESAs will designate the first critical third-party providers (CTPPs) in the second quarter of this year. These providers will be subject to a direct oversight regulatory regime by one of the ESAs.  

The ESAs comprise the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA). 

Standards and guidance 

“Concerns about delays in the finalisation of key standards and guidance had been raised, so the statement signals a clear message from the ESAs that, despite these delays, DORA will apply from 17 January, and there won’t be any grace period,” the McCann FitzGerald lawyers say. 

They note that the European Commission has yet to adopt the “much-awaited” regulatory technical standards on sub-contracting. 

“There is also some ongoing uncertainty regarding the interpretation of the concept of ‘ICT services’ under DORA, which is to be addressed in an FAQ,” they conclude.