DORA applies to a wide range of 20 types of financial entities, including banks, insurance and reinsurance companies, institutions managing occupational pension schemes, insurance and reinsurance intermediaries, investment firms, trading platforms, crowdfunding service providers, payment institutions, and electronic money institutions.

Supervision will be tailored to the risk profile, size, scale, and complexity of the activities carried out by these entities.

Among the main obligations is the mandatory classification and reporting of serious ICT-related incidents from January 17, 2025.

Financial entities must also provide the competent authorities with records of contracts with third-party ICT service providers at the beginning of 2025. National authorities will have until April 30, 2025, to report this information to the European Supervisory Authorities (EBA, EIOPA, and ESMA).

DORA is structured around six key areas:

• ICT risk management: principles and requirements for the ICT risk management framework.
• Third-party ICT risk management: monitoring risks from third-party providers and specific contractual provisions.
• ICT incidents: general requirements and reporting of serious ICT-related incidents to the competent authorities.
• Resilience testing: basic and advanced tests for all institutions at least every three years.
• Information sharing: exchange of information on cyber threats; and
• Supervision of third-party critical ICT service providers through a dedicated supervisory framework.

It is important to note that the technical standards and guidelines issued by the European Supervisory Authorities in January and July 2024 will also come into force on January 17, 2025.

The and Law Department at recommends that entities strengthen their digital security and adopt measures to comply with DORA, ensuring their ability to respond to and recover from serious incidents, thus ensuring the continuity of their operations.

We are fully available to provide the necessary support in this adaptation process and to offer any further clarifications or advice on this matter.