This date marks another significant milestone, after DORA entering into force two years ago. The Act requires financial entities, in the broadest sense, as well as certain IT service providers, to become DORA compliant. Find out below how our team of technology and financial services regulatory experts can help you.
Join us for an event on 20 February to mark this milestone and discuss the challenges of navigating DORA compliance with peers and colleagues. More details here.
Insights
As an EU regulation, DORA requires no transposition into national law but it mandates EU member states to outline authority powers and sanctions, amongst others, by national laws. EU member states are taking different approaches to implementation, particularly regarding deadlines, competent authorities, and incident reporting procedures. Below we have mapped core aspects of the implementation status and approach of five key jurisdictions: Germany, Luxembourg, Ireland, Spain and The Netherlands.
Status of implementation by country
Germany
In Germany, the Bundestag passed the Financial Market Digitalisation Act (FinmadiG) in December 2024, implementing both DORA and the Markets in Crypto-Assets Regulation (MiCAR).
Competent authorities: BaFin and the Bundesbank.
Fines: The role of these authorities is to monitor compliance and sanction non-compliance among financial institutions, with powers to issue orders and impose fines up to €5 million.
Register of information: Financial entities based in Germany must submit the register of information, a requirement under DORA, to BaFin.
Revocation of local legislation: The introduction of FinmadiG and DORA results in the revocation of certain BaFin IT supervisory requirements (KAIT, VAIT, ZAIT) to establish a harmonised EU-wide approach. BAIT for banks will be fully revoked by December 2026.
Ireland
In Ireland, the Central Bank of Ireland has released guidelines on the register of information and incident reporting.
Competent authority: Central Bank of Ireland
Register of information: Financial entities will be required to submit their registers of information by Friday, 4 April 2025 and the Registers of Information should contain information as of 31 March 2025. The Central Bank will issue further information on the submission process in due course.
Reporting incidents: The Central Bank has confirmed that reports on major ICT-related incidents should be submitted via the Central Bank Portal, and has published detailed guidance and templates on the reporting process.
Luxembourg
In Luxembourg, the law implementing DORA was adopted in July 2024.
Competent authorities: CSSF and CAA.
Fines: These authorities will be competent to supervise the implementation of DORA, and to impose fines of up to €5 million.
Register of information: Financial Entities are required to submit their registers of information to the CSSF from 1 April 2025 to 15 April 2025 via eDesk.
Reporting incidents: The CSFF has a new procedure for reporting major incidents with two forms available in eDesk. Financial entities must create the role of "IT incident notifier" and set up their systems by 17 January 2025 to comply. This replaces the old reporting method for entities now under DORA.
Spain
In Spain, a draft bill was approved in December 2024 aiming to modernise and digitalise the financial sector. This includes the incorporation of necessary measures for DORA compliance across several legal acts.
Competent authorities: CNMV, the DGSFP and the Bank of Spain.
Reporting incidents: The CNMV and DGSFP have published some guidelines for the reporting of major incidents and significant cyber threats.
Further guidance: The CNMV published a report on the results of a self-assessment exercise carried out by 245 entities on operational resilience, including DORA. The report includes recommendations, expectations, regulatory issues to assist entities with the implementation of DORA.
The Netherlands
The legislation implementing DORA will enter into force on 17 January 2025.
Competent authorities: Dutch Central Bank (DNB) and the Authority for the Financial Markets (AFM).
Register of information: The regulators have now set firm dates for submission of the Registers of Information:
For financial entities supervised by the Dutch Central Bank (DNB), the deadline is 23 April 2025
For financial entities supervised by the Authority for Financial Markets (AFM), the deadline is 16 April 2025
Reporting incidents: The national authorities have enabled the reporting of cybersecurity incidents through their respective website portals.
How can we help Financial Entities?
Our DORA Toolkit provides a range of materials to help our clients comply with DORA. These materials include:
Template DORA contract addendum
Template DORA remediation playbook
Governance checklist
Template policies for ICT incident management policy and testing
Template register of information
Our clients have welcomed being able to speed up their DORA compliance through the use of our off-the-shelf tools.
How can we help Suppliers?
Our team of technology and regulatory experts has advised some of the largest suppliers to the financial sector on their DORA compliance journey. We have developed hands-on extensive experience of the challenges faced by in-house teams and we can assist clients with:
Drafting bespoke addenda that assist clients in updating their contracts for DORA in a balanced manner. This approach allows suppliers to seamlessly integrate the terms into their existing processes and agreements while also supporting clients with their own updates and obligations under DORA.
Providing playbooks with a detailed understanding of DORA obligations and highlight the areas of flexibility within DORA. This ensures that the contractual terms are implemented effectively and without unnecessary gold plating.
Reach out to our team for more information.
.jpg?crop=300,495&format=webply&auto=webp)
.jpg?crop=300,495&format=webply&auto=webp)
