This piece has been co-authored by Racheal Muldoon, partner, and Hasan Almosoy, associate, both in the financial services regulation and funds team at law firm Charles Russell Speechlys.
Today is the deadline for fintech firms to ensure that existing measures sufficiently hold up to the new standards imposed by the EU's Digital Operational Resilience Act (DORA). DORA aims to bolster the resilience of financial institutions against information
and communication technology (ICT) related incidents, raising the bar for operational resilience and cyber security. Below, we explore DORA, the minimum regulatory requirements firms must now meet, and the necessity for compliance.
Understanding DORA and its scope
DORA is a landmark regulation designed to enhance the digital operational robustness of financial institutions across the EU as part of a broader legislative framework. Although it is an EU-based regulation, its impact will no doubt be felt globally. DORA
addresses the following five key areas:
- ICT risk management
- Incident management, classification and reporting
- Digital operational resilience testing
- Third-party risk management
- Information sharing
It is not just payment and electronic money institutions, banks and insurers that need to comply. DORA’s reach extends to other types of financial entities operating within the EU, such as crowdfunding service providers, digital asset/cryptoasset service
providers and credit rating agencies. DORA also applies to ICT third-party service providers, including providers of cloud computing services, software, data analytics services, and data centres.
Under DORA, these entities are required to implement robust internal governance and control frameworks to manage ICT risks effectively. This includes, but is not limited to:
- Risk management: the establishment of comprehensive ICT risk management frameworks that identify, assess and mitigate ICT risks by design and by default.
- Governance: the implementation of comprehensive governance structures to ensure transparency, accountability and operational resilience.
- Reporting: the reporting of major ICT-related incidents to the relevant authorities within specified timeframes.
- Testing: the conduct of regular digital operational resilience testing.
- Third parties: the management of ICT third-party risks in that fintech firms must ensure that their third-party service providers comply with stringent operational resilience standards.
- Transparency obligations: the sharing of information about cyber threats and vulnerabilities.
Crucially, financial entities are required to implement DORA on a proportionate basis, considering their size and overall risk profile, and the nature, scale and complexity of their services, activities, and operations.
Organisations should also be cognisant of DORA’s regulatory technical standards (RTS) and implementing technical standards (ITS), which provide clear guidelines and standards that help financial institutions understand and meet its requirements. Understanding
these components will be key to navigating DORA successfully.
No extension
The European Supervisory Authorities (ESAs) have previously made it clear that the legal deadline will not be extended, nor will there be an extended transitional period.
It is unsurprising that some financial entities may struggle to achieve full compliance by today’s deadline due to the breadth of obligations introduced by DORA. The enforcement approach of European regulators for non-compliance remains uncertain. The extensive
nature of the new regulations may force regulators to adopt a targeted approach to enforcement, focusing on firms by market prominence or on discrete aspects of the compliance framework. For example, ESAs have already highlighted that entities will be expected
to submit DORA registers of information in early 2025, making this an immediate enforcement priority.
By continuing to prioritise DORA compliance, financial entities can greatly mitigate the risk of regulatory enforcement action.
No Leniency
Given that ESAs maintain that firms must be fully compliant by today’s deadline, it is highly unlikely that NCAs will have the discretion to grant extensions for, or show leniency toward, entities that have not achieved full compliance. Fintech firms should,
therefore, take compliance with DORA very seriously as it is unlikely that they will benefit from supervisory discretion.
The price of non-compliance
Non-compliance with DORA can lead to significant financial, operational, and reputational consequences for fintech companies and their service providers.
ICT risks, when they materialise, are often costly disruptions to the business operations of fintech firms. The damage does not stop there, however. Financial penalties for non-compliance may be substantial. Enforcement measures, including fines, will be
determined and administered by national competent authorities (NCAs) and, where applicable, in coordination with the ESAs. The exact nature and severity of penalties and supervisory actions may differ across member states, reflecting local legal and regulatory
nuances.
Non-compliance poses a significant risk to a firm’s reputation in the international marketplace. Enforcement actions arising from non-compliance will likely be publicly disclosed to deter others, leading to loss of customer trust and adverse market perception.
Meanwhile, persistent non-compliance may trigger further business disruption with increased supervision, more frequent audits, stricter reporting obligations, and other supervisory measures, escalating oversight from NCAs and potentially involving ESAs.
Given these substantial risks, it is imperative that financial entities continue to prioritise compliance with DORA. In doing so, fintech firms will not only mitigate these risks, but also obtain a competitive advantage in what is a crowded market; both
by way of operational stability and cultural resilience.
Seek advice
By prioritising key compliance initiatives and seeking advice, fintech firms can strengthen their operational resilience and ensure robust adherence to the new regulatory standards. From today, partial compliance will not suffice.