Getting ready for DORA compliance: what financial institutions should know for 2025

DORA compliance is now in effect! as of 17 January 2025, financial institutions are required to meet the standards set by the Digital Operational Resilience Act (DORA). With national supervisors like the Dutch Authority for the Financial Markets (AFM) increasing their supervision, it’s time to prioritize your preparations! here’s a quick breakdown of what to expect and how to stay ahead.

What’s changing in 2025?

Starting this year, supervisory authorities will actively review how financial institutions comply with DORA. This includes submitting critical information to the European Supervisory Authorities (ESAs), EIOPA, ESMA, and EBA and ensuring operational resilience across the financial sector.

For a detailed look at the DORA regulation, you can access the official text here: DORA Regulation (EU) 2022/2554.

Key Priorities for 2025

1. Submitting the register of information

The first big milestone for DORA compliance is the register of information. Here’s what you need to know:

• Deadline: the AFM and DNB must submit the first registers of information to the ESAs by 30 April 2025.
• Action needed: If your organization is subject to DORA, expect an information request from the AFM soon after DORA takes effect. Preparing now is important to meet the deadline.
• Annual updates: After the initial submission, you’ll need to provide updates yearly. The AFM and DNB will verify your register before it’s sent to the ESAs.

This register helps ESAs identify critical ICT third-party providers, who will then come under direct ESA supervision.

 

2. Reporting ICT-related incidents

Major ICT incidents must be reported promptly. Here’s how it works:

• Notification timeline:
  • Notify the AFM or DNB within 4 hours of classifying an incident as “major.”
  • Submit an intermediate report within 72 hours.
  • Deliver a final report within 1 month.
• Proactive communication: while mandatory for major incidents, voluntary reporting of cyber threats is also encouraged. This helps build a clearer picture of sector-wide risks.

The AFM will assess your reports for completeness and may request additional details to understand the full impact.

 

3. Threat-led penetration testing (TLPT)

For some firms, TLPT will become part of compliance efforts. Firms designated by the AFM will undergo rigorous testing to ensure resilience against cyber threats.

• Designation: If your firm is selected, you’ll be notified by letter.
• Preparation: the AFM will guide you through the process, from planning to execution.
• Certification: successful completion earns your firm a certificate demonstrating compliance.

 

What Should You Do Next?

1. Act now: start preparing your register of information and review incident reporting protocols.
2. Engage your team: ensure your ICT and compliance teams understand DORA’s requirements.
3. Stay updated: follow updates from the AFM and be ready to act on any requests or notifications.

Why DORA matters

DORA isn’t just about meeting regulatory demands; it’s about strengthening the financial sector’s resilience in an increasingly digital world. By preparing early, your organization can avoid unnecessary risks, show compliance, and build trust with stakeholders.

Let’s embrace this challenge as an opportunity to improve operational resilience and cybersecurity across the board. Is your organization ready for DORA? Share your thoughts below!