The Digital Operational Resilience Act (DORA) implementation deadline is less than a week away, and with financial firms facing up to two per cent of annual global turnover for failing to comply, they are double and triple-checking to ensure they are compliant. With only six days to go, we look at some of the biggest last-minute hurdles firms are facing as they look to be in line with DORA.
The DORA regulation deadline was first introduced in 2022, with the aim of safeguarding financial services against ICT-related incidents. Historically, firms would allocate capital to cover any losses faced as a result of a breach, however, this would only act as a short-term solution. DORA is aiming to solve the problems long term, by ensuring firms have protection, detection, containment, recovery, and repair measures in place.
Traditional methods of dealing with ICT breaches would often result in a financial organisation adjusting its own offerings, but leaving potential ICT third-parties still at risk. With DORA, a new set of rules has been laid out for ICT risk management, incident reporting, operational resilience testing, and oversight of ICT third-party risks.
As a result of the new regulation which is coming into action on 17 January, financial entities can face fines of up to two per cent of worldwide annual turnover, while associated third parties could be fined €5million. Meanwhile, individuals at financial firms could face a €1million fine for non-compliance, and individuals at third-parties could be fined €500,000.
Dotting the ‘i’s and crossing the ‘t’s
Organisations should be aware if DORA is applicable to them, and in turn, their ICT third-party providers. As such, work has likely been underway already to ensure compliance. However, with the deadline quickly approaching firms must make sure their incident reporting processes and protocols are fully operational and aligned with regulatory requirements according to William Davenport, chief sales officer at Wordwatch, the compliance and record management solutions platform.
He said: “Firms must conduct final checks – including making sure staff are aware of their roles in incident detection, management, and with escalation processes. We would also suggest reviewing any gaps in third-party risk management by confirming that external ICT suppliers meet resilience standards – keep a log to ensure this is validated on a regular basis.
“Finally, if you haven’t already, consolidate data from legacy systems to streamline compliance and reduce risks associated with managing outdated infrastructure.
“This will clearly take more than a few days, but as many of you will know, regulators are often appeased when they see a mitigation plan is in action and steps are being taken to ensure compliance. Seek help from external experts if you have any questions.”
What’s critical and what’s important
The discussion between ICT third party and financial organisation must be constant, as both entities must be aligned on what critical changes need to be made ahead of the 17 January deadline. Commenting on the potential to and fro that can ensue, Nathaniel Lalone, financial markets and funds partner at law firm, Katten Muchin Rosenman LLP said: “As with most major regulatory implementation deadlines, we all seem to be fumbling towards the finish line.
“DORA introduces very specific and prescriptive requirements and has lots of moving pieces, but we have seen two key compliance challenges.
First, in terms of updating contracts, there is a “battle of the forms” between financial entities, who want all their services providers to use their standard form of agreement, and service providers, who want all their financial entities to use their own standard form of agreement. The question is: who has the stronger negotiating power and who blinks first?
“Second, the compliance burden ratchets up for service providers supporting ‘critical or important’ functions, and there’s some push-and-pull between financial entities and their service providers over the proper criteria and process to use when making that decision. This leaves open the risk that some providers of a given service are designated by their financial entities as supporting ‘critical or important’ functions and subject to heightened obligations, whereas providers of a nearly identical service are not.
“That seems inequitable and it’s not clear how to solve for those discrepancies with the rules as they currently stand.
“Alongside these challenges, the ongoing DORA obligations remain with firms grappling to integrate compliance with existing requirements and internal systems, while managing resourcing constraints.”
IT and beyond
While DORA places a strong emphasis on ICT teams and third parties, the regulation is not restricted to them and organisations must ensure everyone across the board understands what they must do. Exploring this point further, Helen Barge, senior risk and resilience consultant at Barnett Waddingham, the consultancy firm, said: “A key consideration moving forward will now be ensuring it remains an organisation-wide approach.
“For some, there can be the perception that business continuity is restricted to the IT team and not the wider organisation; but ensuring the robustness of information security, and minimising cyber risk will only work if everyone across the business is onboard, including your supply chain as no organisation operates in isolation. Eliminating silos and ensuring a top-down approach to compliance will minimise risk, and will be vital to ensure compliance moving forward.”
Impacts beyond traditional finance
While initially, it would be easy to think that DORA only applies to traditional financial services, it will also be applicable to other aspects of the financial world including crypto and proptech.
Commenting on its impact on crypto Can Taner, CPO, Bitpace, the crypto payment gateway said: “DORA, in parallel with the recently introduced MICA guidelines, will also provide the strong regulatory framework needed to legitimise the asset class as a viable and trusted payments solution for businesses. At a time when many European businesses are dealing with operational challenges and high costs as a result of various geopolitical and macroeconomic factors, crypto offers them the critical alternative gateway they need to remove barriers and continue trading globally.”
From a proptech standpoint, J.P. Bowgen, principal at Camber Creek, the venture capital firm, added: “The aperture of what we define as real estate technology continues to expand, and we’re increasingly seeing it overlap with financial services and fintech. For current and prospective portfolio companies, DORA will be a key consideration in determining the viability of possible future European expansion.
“For companies looking to scale in Europe, understanding and addressing these requirements early can become a powerful competitive advantage. Failing to anticipate DORA’s requirements could create a significant last-minute hurdle for companies aiming to expand in Europe, potentially delaying market entry or eroding trust with key partners and customers.”
