Summary
The Digital Operational Resilience Act (DORA) has been in effect for four months, challenging financial organisations to enhance their operational resilience in multiple areas such as governance and risk management. The transition has proven more complex than initially expected, evolving into a dynamic process shaped by various regulatory landscapes and a rapidly changing market. Failing to comply with DORA can result in serious penalties, including hefty fines and administrative measures. This article discusses the key challenges faced by financial institutions (FIs) as they implement DORA and suggests strategic initiatives for robust resilience.
DORA Requirements Recap
DORA sets out a unified framework for FIs within the EU to bolster Information & Communication Technologies (ICT) risk management and enhance their responses to ICT disruptions. Its five core pillars include:
- Robust ICT risk management and governance frameworks.
- Comprehensive incident management and prompt reporting to authorities.
- Rigorous third-party risk management and oversight.
- A testing programme for operational resilience, including Threat-Led Penetration Testing.
- Cyber threat information sharing arrangements.
The Regulatory Refinement Phase
The European Supervisory Authorities (ESAs) are actively refining the implementation of DORA, clarifying rules, and addressing challenges presented by previous regulations. This ongoing refining process connects institutions with emerging regulatory expectations, making it crucial for organisations to stay informed and adaptable.
Supervisory Readiness: A Fragmented Landscape
Different EU countries are at various stages of aligning their supervisory practices with DORA, showcasing a fragmented landscape. Financial institutions must remain aware of specific national supervisory expectations as they adapt to these variations.
A Rapidly Adapting Market
In response to DORA, innovative tools and services for vendor risk assessments and compliance keep emerging. Smaller institutions are particularly reliant on managed services as they adapt to evolving regulatory expectations.
Five Core Challenges Financial Institutions Are Facing
- Identifying Critical Processes and ICT Providers: Institutions struggle to clearly determine which processes are critical, complicating compliance.
- Reassessing Third-Party Risk Practices: Third-party oversight requires enhanced due diligence and monitoring, often only partially met at present.
- Operational Resilience Testing Readiness: Institutions face challenges in testing ICT system robustness efficiently and effectively.
- Supervisory Divergence Across Jurisdictions: Variability in enforcement and oversight across member states complicates compliance strategies.
- Moving from Paper Compliance to Operational Resilience: Many organisations are finding it difficult to transition from merely documenting compliance to actually enhancing resilience.
Strategic Priorities for 2025–2026
- Focus on What Matters Most: Prioritise compliance efforts where operational disruptions would have the greatest impact.
- Strengthen the Foundations: Invest in business process mapping to identify ICT dependencies essential for effective risk assessment.
- Mature Third-Party Risk Practices: Move toward dynamic monitoring of ICT providers rather than static assessments.
- Engage Proactively with Regulators: Foster open communication with regulators for guidance and alignment.
- Operationalise Continuous Compliance: Integrate ongoing controls testing and automated evidence collection into compliance frameworks.
Resilience as a Strategic Imperative
DORA implementation represents a shift in operational risk management. Institutions integrating resilience into their practices and staying ahead of regulatory changes will be the most successful in navigating the next challenges. The next 12-18 months will differentiate those with a tactical approach from those committing to long-term resilience strategies.
Why should I read this?
If you’re in the financial sector, this article’s a must-read! It not only lays out the nitty-gritty of DORA’s requirements but also highlights the significant challenges and strategic moves that FIs need to consider. With penalties looming for non-compliance and the clock ticking on adapting to these new rules, knowing the ins and outs of DORA could save you plenty of headaches down the road.