The Digital Operational Resilience Act (DORA) is set to come into force on the 17th of January 2025, aiming to strengthen the resilience of financial institutions against ICT-related incidents in five key areas: ICT risk management, ICT-related incident
management, digital operational resilience testing, ICT third-party risk management and information sharing. While it’s an EU-based regulation, DORA will set a high bar for operational resilience and cyber security that will have a ripple effect across the
global financial ecosystem, including third-party service providers, and potentially influence future regulations worldwide.
For organisations within the financial sector, DORA is likely to bring challenges, especially when it comes to resourcing and investment, but it also promises long-term benefits including enhanced operational resilience, improved risk management, oversight
of third-party service providers and standardised regulations. Ahead of its implementation, businesses need to stay informed about its specific requirements and proactively adapt their practices to ensure compliance, while reaping in the potential benefits
of enhanced operational resilience in a digital era.
The impact of DORA
One of the most prevalent challenges organisations will face will be the investment needed in terms of implementation and sourcing talent. Adapting to the requirements may involve significant investments in technology and resources, especially for smaller
institutions. It may also mean businesses need to hire or upskill existing talent with expertise in areas like cyber resilience and regulatory compliance. There will also be stricter requirements on managing risks associated with third-party ICT service providers,
requiring additional due diligence and potentially impacting existing partnerships. This additional due diligence is just one small part of the complexity of DORA, and navigating the new regulation and ensuring adherence will likely be a time-consuming process.
A positive implication is the overarching aspect of the new regulation bringing enhanced resilience. Promoting a more robust and proactive approach to managing ICT risks within financial institutions can lead to reduced disruptions from cyber-attacks and
other incidents, faster recovery times and strengthened customer and investor confidence. It also standardises requirements, which will help to establish a consistent set of regulations across the EU, simplifying compliance for organisations operating in multiple
countries. Businesses will be able to better identify and report on threats, and implement preventative measures, enhancing collaboration and knowledge sharing within the industry.
Importantly, while businesses will likely face investments in terms of time, resources and personnel, an enhanced focus on security should be seen as a benefit to innovation. DORA fosters a collaborative approach to operational resilience by requiring various
stakeholders to work together and share information effectively. As well as timely responses and sharing of emerging threats, joint risk assessments and collaboration on industry-wide standards and guidance all help to build a more secure foundation for innovation.
By doing so, more reliable and trustworthy platforms for developing new products and services can be built.
Taking a proactive approach
Organisations in the financial services space should take a proactive, flexible and risk-based approach when it comes to DORA, to balance compliance with business needs. The first step should be to conduct an internal gap analysis to identify relevant regulations
and assess the business’s current posture. By doing so, they will highlight any areas they are falling short. Organisations need to also conduct regular risk assessments of their internal and most critical business functions and develop contingency plans to
deal with any resiliency hiccups.
Most financial organisations will work with third-party providers, but new steps need to be taken before a partnership is agreed upon. Once a service provider is identified, it’s the organisation’s responsibility to evaluate that their service provider is
compliant with existing regulations and ensure that they are putting the necessary plans in place to effectively address pain points across all five DORA pillars. The most reliable service providers will enable customers to mobilise their data with near-unlimited
scale, concurrency and performance while also keeping the organisation's data safe and secure. DORA offers a welcome opportunity for financial service organisations to rethink their cloud and data strategies, to ensure they can efficiently shift data and workloads
as needed across regions and across clouds to avoid any downtime or outages, and to improve resilience.
Financial organisation leaders need to work closely with providers to maintain an open dialogue with regulators, both within the EU and other regions. This dialogue is a positive step for the industry, meaning that third-party providers can work together
to meet requirements in a robust, compliant way, working to protect the data at all costs. A collaborative approach will be key to extracting business value from DORA, and financial organisation leaders should take care to choose providers which operate in
a shared responsibility model, offering digital operational resilience, privacy and security commitments without compromising the services customers use.
Financial organisations should implement the key contractual provisions between them and the selected third-party service providers before signing a contract. Finally, businesses should develop a compliance roadmap which prioritises actions, sets realistic
timelines and assigns resources to get ahead of the regulation coming next year.
DORA and the future
Now is the time to implement these measures, as doing so proactively ahead of time will put financial institutions in the strongest position possible to navigate the impending changes. Once DORA comes into force, all regulated customers will need to comply
with the requirements around risk management and testing. This will involve having an ICT risk management framework in place, conducting regular penetration testing and vulnerability assessments, and maintaining robust business continuity plans in the face
of potential disruption. Firms will also be required to report major operational incidents to the relevant authorities within the stipulated timeframes. Overall, DORA aims to create a more robust and resilient financial ecosystem by requiring financial institutions
to also manage third-party risks more effectively.
While financial organisations are used to operating in a highly regulated industry, the implementation of DORA brings a different level of compliance to adhere to. Business leaders must take a proactive approach, engaging with the challenges and opportunities
offered by the regulation and preparing for a future of increased cooperation and knowledge-sharing across the industry.
DORA brings the opportunity for a renewed focus on cybersecurity and operational resilience practices. The coming months also offer a chance to prepare for potential future regulations in other territories. The UK's Financial Conduct Authority (FCA) and
Prudential Regulation Authority (PRA) are considering similar regulations for the UK financial sector, and DORA is likely to be the first of many cloud-related regulations for the finance industry. DORA will enable businesses to shine a light on the risks
they face and pave the way for a safer, more efficient global financial system. Now is the time for business leaders to act to work towards this future.