Current Status of the Implementation Roadmap

January 17th 2025 is the ultimate deadline prescribed by the EU that financial institutions should be working towards. Since June 2022, when this deadline was announced by the EU, financial entities have had the opportunity to plan their roadmap to achieve their compliance with this new regulation. Failure to comply will result in hefty administrative fines, remedial measures and criminal penalties* from the EU member states adding an extra layer of pressure on financial institutions. However, our survey demonstrated that only 29% of the surveyed financial entities have a roadmap in place, the rest of the surveyed financial entities have chosen to start their roadmap in 2023 and some in 2024.

Challenges in Implementation of the DORA

Based on experience with clients and insights gathered from the survey, Deloitte foresees the main challenges in implementation per pillar to arise in the following areas.

To be ready for DORA, Deloitte launched a survey between November 2022 and January 2023. The Deloitte survey covered 20 entities across 20 countries in Europe. The survey provided an overview of the readiness of financial entities as well as their approach to tackle DORA, and the main issues the surveyed financial entities are facing in their implementation. The main industry stakeholders of DORA, based on the survey, are banking at 41%, insurance at 31%, card issuer and acquirers at 24%, and payment service providers at 4%. To have access to the survey and gain insights on how financial entities are tackling DORA, please feel free to reach out to one of our contacts below.

The DORA requires the ESAs to develop 13 secondary technical instruments in two distinct batches, respectively due by 17 January 2024 and 17 July 2024. The first batch (published on 19th June 2023) includes four Regulatory Technical Standards (RTSs) and one Implementing Technical Standard (ITS) as set out below and is open for public consultation until the 11th September 2023:

• RTS on ICT risk management framework;
• RTS on simplified ICT risk management framework;
• RTS on criteria for the classification of ICT-related incidents;
• ITS to establish the templates for the register of information; and
• RTS to specify the policy on ICT services performed by ICT third-party providers.

Support from the EU on Policy Implementation

Our services, aimed at supporting entities to comply with DORA, are eligible for (co-) funding by the EU under the Digital Europe Programme (DIGITAL). The budget for the digital operational resilience actions covered by this Work Programme is EUR 269 million distributed as follows:

• A budget of EUR 177 million for actions related to the “cyber-shield” announced in the EU Cybersecurity Strategy, including Security Operation Centres (SOC);
• A budget of EUR 83 million for actions supporting the Implementation of relevant ICT management EU Legislations;
• A budget of EUR 9 million for programme support actions, including evaluations and reviews.

In addition, actions supporting the deployment of the Secure Quantum Communication Infrastructures (QCI) are included in the Digital Europe Work Programme for 2021-2022, with an indicative budget of EUR 170 million. Our experts on DORA can advise you on how to apply for EU funding to develop actions aimed at strengthening ICT risk and Digital capabilities in the EU financial sector.

How Deloitte Can Help

A two-year window might seem long but when one considers the challenges and requirements of DORA, it is but a short period within which to take cognizance of where you are at and the gaps needing to be filled to get you to where you need to be.Deloitte has experience and expertise in this domain. From performing a readiness assessment right through to assisting you with your implementation plan, Deloitte has diverse capabilities and insight that will enable you to move forward towards DORA compliance.