Consequences and opportunities for financial services

The Digital Operational Resilience Act (DORA) is set to go into effect on January 17, 2025. It aims to strengthen financial institutions’ resilience to ICT incidents in five key areas: ICT risk management, ICT incident management, digital operational resilience testing, ICT third-party risk management, and information sharing. While it is an EU-based regulation, DORA will set a high bar for operational resilience and cybersecurity that will have a knock-on effect across the global financial ecosystem, including third-party service providers, and potentially influence future regulation worldwide.

For financial services organizations, DORA will likely pose challenges, especially in terms of resources and investment, but it also promises long-term benefits, including increased operational resilience, improved risk management, oversight of third-party service providers, and unified regulations. Before implementing DORA, organizations must be informed of its specific requirements and proactively adapt their practices to ensure compliance while reaping the potential benefits of increased operational resilience in the digital age.

DORA influence

One of the most common challenges organisations will face will be the need to invest in talent onboarding and acquisition. Complying with the requirements could involve significant investments in technology and resources, especially for smaller organisations. It could also mean that organisations need to hire or upskill existing talent with expertise in areas such as cyber resilience and regulatory compliance. There will also be stricter requirements for managing risks associated with third-party ICT service providers, requiring additional due diligence and potentially impacting existing partnerships. This additional due diligence is just one part of the complexity of DORA, and navigating the new regulations and ensuring compliance is likely to be a time-consuming process.

The overall positive impact of the new regulation is that it provides for increased resilience. Promoting a more robust and proactive approach to ICT risk management in financial institutions can lead to reduced disruption from cyberattacks and other incidents, faster recovery times and increased customer and investor confidence. It also standardises requirements, which will help establish a consistent set of rules across the EU, simplifying compliance for organisations operating in multiple countries. Businesses will be better able to identify and report risks and implement preventive measures, strengthening cooperation and knowledge sharing across the industry.

Importantly, while businesses will likely need to make investments in time, resources, and personnel, the increased focus on security should be seen as a benefit to innovation. DORA promotes a collaborative approach to operational resilience, requiring diverse stakeholders to collaborate and effectively share information. In addition to timely responses and sharing of emerging threats, shared risk assessments and collaboration on industry standards and guidelines help build a more secure foundation for innovation. This can build more reliable and trustworthy platforms for developing new products and services.

Taking a proactive approach

Financial services organisations should take a proactive, flexible and risk-based approach to DORA to balance compliance with business needs. The first step should be to conduct an internal gap analysis to identify relevant regulations and assess the company’s current posture. This will highlight any areas where they are falling short of expectations. Organisations must also conduct regular risk assessments of their internal and most critical business functions and develop contingency plans to address any resilience issues.

Most financial services organizations will work with external providers, but new steps need to be taken before a partnership is agreed. Once a service provider is identified, the organization is responsible for assessing the service provider’s compliance with applicable regulations and ensuring that it implements the necessary plans to effectively address issues across all five pillars of DORA. The most robust service providers will enable customers to mobilize data with virtually unlimited scale, concurrency, and performance, while ensuring the organization’s data is secure. DORA offers financial services organizations a welcome opportunity to rethink their cloud and data strategies to ensure they can efficiently move data and workloads across regions and clouds as needed to avoid downtime or failures and improve resilience.

Financial leaders need to work closely with vendors to maintain an open dialogue with regulators, both in the EU and elsewhere. This dialogue is a positive step for the industry, meaning that third-party vendors can work together to meet requirements in a robust, compliant manner, while working to protect data at all costs. A collaborative approach will be key to extracting business value from DORA, and financial leaders should ensure they choose vendors that operate in a shared responsibility model, offering digital operational resilience, privacy and security commitments without compromising the services customers rely on.

Financial organizations should implement key contractual provisions between themselves and their chosen third-party service providers before signing a contract. Finally, companies should develop a compliance plan that prioritizes activities, sets realistic timelines, and allocates resources to get ahead of regulations that come into effect next year.

DORA and the future

Now is the time to implement these measures, as proactive action ahead of time will put financial institutions in the strongest possible position to navigate the changes ahead. Once DORA comes into force, all regulated clients will be required to comply with risk management and testing requirements. This will require implementing ICT risk management frameworks, conducting regular penetration tests and vulnerability assessments, and maintaining robust business continuity plans in the face of potential disruptions. Firms will also be required to report major operational incidents to the relevant authorities within specified time frames. Overall, DORA aims to create a more robust and resilient financial ecosystem by requiring financial institutions to manage third-party risks more effectively.

While financial organizations are accustomed to operating in a heavily regulated industry, DORA implementation introduces a different level of compliance that must be maintained. Business leaders must take a proactive approach, engaging with the challenges and opportunities presented by regulation and preparing for a future of increased collaboration and knowledge sharing across the industry.

DORA provides an opportunity to refocus on cybersecurity practices and operational resilience. The coming months also offer a chance to prepare for potential future regulation in other jurisdictions. The UK Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) are considering similar regulation for the UK financial sector, and DORA is likely to be the first of many cloud-related regulations for the financial industry. DORA will enable businesses to shed light on the risks they face and pave the way for a safer, more efficient global financial system. Now is the time for business leaders to take action to work towards this future.