Today is 17 January 2024. DORA’s compliance deadline — 17 January 2025 — is exactly twelve months away. The regulatory technical standards that define the detailed requirements have been finalised or are close to finalisation. The countdown is real. And based on what we are seeing across the financial services sector, a significant proportion of in-scope entities are materially behind where they need to be.
This post provides an honest assessment of the compliance landscape twelve months out and a practical programme for the next twelve months.
Where Most Entities Actually Stand
The most common picture we see: an entity that has scoped the DORA requirements, identified its compliance programme workstreams, and made some progress — particularly on the ICT risk management framework, where existing ISO 27001 or internal audit programmes provide a starting point. The areas where progress is most commonly lagging are the ICT third-party risk requirements and the incident reporting process.
ICT third-party register: Most entities have not completed a comprehensive ICT third-party inventory. They have a partial list of known major providers. The discovery exercise that would surface the full population of third-party arrangements — including the shadow IT, the dormant legacy arrangements, and the business unit-adopted SaaS tools — has not been done.
Contract review: The mandatory contractual provisions that must be in place for arrangements supporting critical or important functions require a systematic review of existing contracts. Few entities have completed this. Contract remediation programmes — working with providers to incorporate DORA-mandated provisions — are time-intensive and cannot be deferred to Q4 2024.
Incident reporting: Incident classification processes that meet DORA’s major incident criteria have been designed in outline but not operationally tested. The 4-hour notification window has been noted as a challenge but the process that enables it — rapid classification, escalation, and notification — has not been built and tested.
The 12-Month Plan
Q1 2024 (January to March): Complete the foundational work. Finalise the ICT third-party register through a comprehensive discovery exercise. Complete the critical function assessment for all third-party arrangements. Complete the ICT risk management framework design. Begin the contract review programme for critical/important function arrangements.
Q2 2024 (April to June): Remediate the highest-priority gaps. Complete contract remediation for critical/important function arrangements — either updating existing contracts or ensuring new contracts meet DORA provisions. Implement the incident classification methodology. Design and document the incident notification procedures. Begin the digital operational resilience testing programme.
Q3 2024 (July to September): Test and validate. Run tabletop exercises that test incident classification and the 4-hour notification process. Conduct the required ICT resilience testing. Run internal reviews of the ICT risk management framework and third-party risk management processes. Address findings.
Q4 2024 (October to December): Evidence and finalise. Collect compliance evidence across all DORA pillars. Ensure management body review and approval of the ICT risk management framework. Prepare regulatory reporting capability for the third-party register. Brief senior management and the board on DORA compliance status.
This plan is achievable — but it requires starting the foundational work now, in January 2024. Entities that enter Q2 without a complete third-party register and a contract remediation programme underway will be in difficulty.
At Bitsecura, we are running DORA compliance programmes for financial entities across the EU — from initial scoping through third-party risk management implementation, incident reporting design, and resilience testing. If you are twelve months out and need to accelerate, talk to us here.
Bitsecura provides DORA compliance consulting and ICT risk management services for financial entities. Learn more about our DORA services.