Banks and regulators say a common approach is much needed to successfully implement DORA

With only three months remaining until the implementation date, AFME brings to the light DORA-readiness after the transition period

The implementation of DORA – the Digital Operational Resilience Act that’s looming on the horizon – is being viewed as a significant operational uplift by all market participants, one of the AFME's panel discussions in London agreed. 

The main challenge according to banks (Barclays, Intesa Sanpaolo) and regulators (European Banking Authority – the EBA) speaking at OPTIC, is to have a common approach to DORA and resilience. It is not easy to implement it with different sizes of banks and branches and mutually integrate it.  

Maria Sorlini, Regulation guidance and coordination team leader at Intesa Sanpaolo, added that the global nature of financial institutions introduces further complications. Many institutions operate in multiple jurisdictions with varying regulatory requirements, making it difficult to achieve a unified compliance strategy. She stressed the importance of a common approach to operational resilience, which DORA aims to foster across the European financial sector. Also, it is a challenge for regulators and supervisors to have a common approach on an international level to align all the processes and procedures. 

DORA, a landmark regulation aimed at enhancing the operational resilience of financial institutions across Europe, is built on five pillars: risk management, resilience testing, incident reporting, third-party risk management, and information sharing. And although operational resilience had been on the radar for banks for over a decade, the panel recognised the ambitious nature of DORA and the necessary operational modifications to fulfil its mandates. As a matter of fact, as was mentioned, many financial institutions are working hard to align their internal systems and processes with DORA's requirements as the deadline draws near. 

Antonio Barzachki, Senior Policy Expert from the European Banking Authority (EBA), the regulator on the panel, acknowledged the industry’s concerns about timelines and implementation challenges. He assured that the EBA is committed to providing clarity through ongoing Q&A sessions and supervisory guidance. The EBA has also conducted a "dry run" exercise, where financial entities submitted registers of information to test compliance processes. He emphasised the importance of collaborative efforts between regulators and the industry to ensure smooth implementation. For these purposes, in the EU, ESAs, or European Supervisory Authorities are already in place. 

One of the themes discussed was also the need for proportionality in DORA’s implementation, and the EBA representative stressed that regulators are adopting a risk-based approach, recognising that not all financial institutions face the same level of risk. This principle of proportionality allows for flexibility in how institutions meet DORA’s requirements based on their specific risk profiles. 

Estelle Tran, DORA Legal Lead at Barclays, acknowledging the urgency of the situation, stated that the sheer volume of contracts to remediate for both banks and service providers, presents a substantial challenge in itself: "For some banks, it will be hundreds, for others, thousands of contracts." So, the complexity of identifying critical service providers and updating contracts accordingly is quite challenging and a tick-box exercise would not really mean reaching the goals of this regulation. Estelle also pointed out that, despite a clear regulatory scoping, banks across different jurisdictions have had to adopt varied approaches, complicating the process further.  

As Clare Jenkinson from Deloitte Legal pointed out, DORA is part of a broader trend of operational resilience regulation globally. As financial institutions adapt to DORA, they will also need to consider similar regulatory frameworks in other regions, such as, for instance, the UK's Operational Resilience Framework and Singapore’s Technology Risk Management Guidelines. Thus, a unified approach would be very helpful. Another point Clare made was the necessity to avoid DORA compliance becoming a tick-box exercise – as not all of the third-party providers and suppliers present a risk to an organisation. In the event of not thoroughly analysing the list of providers from a risk point of view, it won’t really count as DORA compliance.  

It's all about collaboration in the end, and DORA is introducing a new type of collaboration - between regulators and service providers – something that did not exist previously. As an evolving regulation, its full implementation will inevitably take time as firms continue to adjust their operations and regulators refine their supervisory practices. The key to success, the panel agreed, will be ongoing collaboration between all market participants - financial institutions, ICT third-party service providers, and regulators. While the road to DORA compliance presents significant challenges, specifically, around contract remediation, operational coordination, and regulatory convergence, there is an optimism expressed that the regulation will ultimately lead to a stronger and more resilient financial sector.