Two months remain before the Digital Operational Resilience Act (Dora) comes fully into force in January 2025. A CSSF survey launched this summer has revealed that the compliance process for most entities is ongoing, but challenges remain regarding resources, dependencies, delays, and contractual negotiations.
This survey was undertaken to provide a better view of the readiness of relevant financial entities to comply with Dora requirements and to raise awareness within the industry of the time left before compliance is mandatory.
Among the respondents, credit institutions were found to be the most advanced, with over 97 percent having completed a gap analysis. Alternative investment fund managers (AIFMs) and management companies followed closely, with nearly 90 percent having completed such an analysis, while investment firms ranged between 74 percent and 84 percent.
The ABBL survey published in June 2024 showed a similar pattern, with the compliance process also ongoing. In spring, entities focused on the gap analysis work, and there was a fairly high level of confidence that they would have everything in place in time (79 percent of entities were either fairly confident or very confident).
However, the management of ICT third-party risk remains the greatest challenge, with 80 percent of participants mentioning it. From a legal standpoint, respondents most frequently raised the issue of negotiating key contractual provisions (article 30 of Dora) with third parties.
This is because the negotiation process can be prolonged and complicated. Dora requires adding provisions to IT service agreements, which may prompt third-party providers to fully renegotiate the service agreement (including fees). This challenge is considered the primary one by AIFMs and management companies (Mancos), with 51 percent citing it as a significant issue.
This point is identified, even by the most advanced entities, as the main cause of delay in preparing for January 2025. Most entities acknowledge that they may not be ready due to lengthy contractual clause negotiations. Investment firms similarly identified negotiations with ICT service providers as their top challenge, with 53 percent noting it and 18 percent prioritizing it.
Another crucial challenge is establishing new governance structures and digital resilience strategies. Implementing a new internal governance structure and strategies requires aligning all stakeholders within financial entities. Sometimes, at a group level, this can mean navigating political issues and competition among intra-group entities. These challenges are also time-consuming, and AIFMs and Mancos consider dependency on group coordination to be their second-greatest challenge (44 percent).
Finally, a top challenge in complying with Dora is the uncertainty and lack of clarity regarding the information required to complete the register. This uncertainty has been heightened by the European Commission’s (EC) recent rejection of the technical standards on information registers.
The initial technical standard mandated the use of the Legal Entity Identifier (LEI), while the EC’s position now allows financial entities the choice of identifying their European ICT third-party service providers using either the LEI or the European Unique Identifier (EUID).
From a practical standpoint, the LEI is the industry’s commonly used standard, which is why the ESAs noted that, where both LEI and EUID are available, entities should give preference to LEI. This is especially relevant when both identifiers are accessible. In the case of groups, the ESAs have stated that it is essential to ensure consistency in the registered identification codes for all ICT third-party service providers.
Despite uncertainty regarding which identifier to use, it is crucial to remember that this cannot be cited as a valid reason for delaying the register’s completion. The compliance deadline for all entities remains January 17, 2025, so a continued focus is necessary, and entities must push forward to meet this deadline.
Dorothée Ciolino is a commercial, corporate and IT lawyer based in Luxembourg at Norton Rose Fulbright. The law firm is a knowledge partner of Investment Officer Luxembourg.