How DORA is fortifying Europe’s financial future with a new take on operational resilience
In just over half a year, the 22,000 entities forming the vibrant patchwork of financial services in Europe will find themselves face-to-face with the Digital Operational Resilience Act (DORA) – the latest stitch in legislators’ ongoing attempts to weave together an industry increasingly reliant on an intricate network of connections.
DORA seeks to unite Europe’s fragmented digital safeguards
As vast as it is intricate, DORA is a new regulatory framework set forth by the European Commission to, above all, bolster the digital operational resilience of the continent’s bustling financial sector.
When its deadline comes around on 17 January next year, industry players must be able to evidence and practice measures that prove an ability to withstand, respond to, and recover from any angle of disruptions or threats originating from ICT systems.
Here, FinTech Futures presents a detailed dossier of DORA. We take a look at its scope and intended outcomes and explore key measures that will prove essential to ensure firms’ readiness to comply at the turn of the new year.
A brief history of DORA
While financial services remains one of the most highly regulated and tightly controlled industries in the world, it is also arguably one of the fastest moving. And with this, any effort to introduce a new way of doing things must be highly calculated, widely applicable, and thoroughly thought through.
As such, DORA has been a long time coming. The concept was notably first thrust into the limelight in March 2018, when a Fintech Action Plan devised by the European Commission stressed the importance of an operationally resilient financial sector, as well as the potential consequences posed by the contagion of ICT-related disruptions and cyber threats.
This was followed by a call set out by the European Banking Authority (EBA) in April 2019 for a coherent approach to ICT risk in finance including, among other suggestions, an effective risk management framework capable of supporting timely incident reporting and third-party risk mitigation.
These efforts led to the Commission publishing its first draft of DORA in September 2020, as part of the wider Digital Finance Package, before legally binding the framework in January 2023, with a two-year implementation period to follow.
Ready for resilience
With the implementation period now slowly but surely drawing to a close, firms have been tasked with readying the ground for a range of measures aimed at ensuring the continuity of ICT systems, healthy third-party integrations, and an industry devoid of fraud.
For DORA, digital operational resilience very simply means “the ability of a financial entity to build, assure, and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions”.
Developing on this statement in a conversation with FinTech Futures, Simon Treacy, a senior associate at global law firm Linklaters, describes DORA as “a very prescriptive framework for financial entities, primarily to build and improve the way that they manage ICT risk”.
“It applies very broadly across the EU regulated financial sector,” he continues, “and really part of its aim is to harmonise standards so that the smallest payments firm is subject to the same rules for operational resilience as the biggest banks and insurers.”
The implementation of these measures seeks to not only enable an easier route for financial regulators to pinpoint specific weaknesses throughout the sector, but as Treacy highlights, to also provide the means to identify risks that emerge from beyond the ringfence of regulation, with cloud and other technology service providers being underlined in its focus.
Discussing how these demands play out in practice, Treacy lends an insightful analysis by organising DORA’s requirements into three Rs:
Risk management
Under DORA, financial firms have to present “a package of documents that show that you are ready to bounce back from disruption when it happens”
Risk management comes as the first of the three. In this, DORA underlines the establishment of an ICT risk management framework, which is to include “strategies, policies, procedures, ICT protocols, and tools that are necessary to duly and adequately protect all information assets and ICT assets”, to ensure service continuity in the event of damage and/or unauthorised access.
DORA stresses that this framework must be “appropriate to the magnitude of operations” and is to fall subject to periodic testing, with specific attention to “critical or important functions outsourced or contracted through arrangements with ICT third-party service providers”.
Operationally, Treacy says regulated firms will now have to present “a package of documents that show that you are ready to bounce back from disruption when it happens”.
This disruption could range from a cyber-attack, data breach, or third-party outage to a botched IT upgrade – DORA offers the regulatory equivalent of hoping for the best but preparing for the worst.
“Whatever it is, if it’s relating to ICT in some way, firms need to be able to put forward this package of policies, plans, and procedures which evidence their readiness to withstand that kind of disruption,” he adds.
Reporting
DORA aims to establish a new standard for how risk data is reported and addressed within the financial industry, which is why for Treacy, reporting is a central player in our trio of Rs.
“To prevent ICT systems from losing integrity or becoming unavailable, and hence to avoid data breaches and damage to physical ICT infrastructure, the reporting of major ICT-related incidents by financial entities should be significantly improved and streamlined,” the legislation states.
This streamlining, it continues, is to include the installation of early warning indicators and procedures to “identify, track, log, categorise, and classify ICT-related incidents”, among other measures.
In reporting this data, financial firms of all sizes are set to play a more forward-looking role in assisting regulators in designating the relevant information to the right resources, while also bolstering their ability to escalate concerns and resolutions to the relevant non-financial authorities, such as national data protection authorities and competent authorities.
For Treacy, one of the major requirements set out by the regulation is the advent of the DORA register, which regulated firms must use to list all their ICT services provided by a third party.
“That register includes details, not just about the contractual arrangements you have with that third party, but also in some cases information about subcontractors further down the supply chain, so that you can manage risks, not only in relation to your direct service provider, but also further down the ICT supply chain,” he says.
Repapering
DORA emphasises that a single weak link can fracture the entire supply chain, and therefore not only seeks to impose more rigorous reporting exercises, but to also install compliance at the core of third-party relationships, which is why Treacy caps off our R triumvirate with repapering.
On paper, this endeavour will require a sizeable shift in contractual terms, which aside from new orders for preliminary assessments and exit clauses, also includes new negotiation powers for financial services firms.
“When renegotiating contractual arrangements to seek alignment with the requirements of this regulation, financial entities and ICT third-party service providers should ensure the coverage of the key contractual provisions as provided for in this regulation,” DORA says.
Treacy says financial services firms will now need to revisit third-party agreements to ensure contractual adherence to DORA, while also instigating measures to fill in any gaps.
“That repapering exercise is a big challenge,” he explains, “because there is typically little appetite to open up existing terms, and it may prove difficult to engage vendors in this kind of process.”
DORA seeks to ensure that no stone is left unturned in its pursuit of operational resilience, encouraging firms to reflect its principles throughout their everyday decisions.
With the January deadline looming, preparations are underway to ensure firms can meet these demands, putting their readiness to the test.
Compliance countdown
Entities across Europe are readying for the 2025 DORA deadline
At no less than 79 pages long as per its latest draft, DORA’s prescriptive approach to operational resilience will require a significant amount of consideration in practice.
For the big players in the industry, the arrival of DORA will arguably come as less of a shock than to smaller firms that don’t have the same resources as multinational incumbents.
“Preparing for DORA poses challenges and resource demands in the short term. Businesses must allocate resources to adapt their operations, systems, and processes to comply with the new requirements,” Sara de la Torre, head of financial services at commercial data, analytics, and business insights provider Dun & Bradstreet, tells FinTech Futures.
“This creates a greater financial burden, particularly for SMEs with smaller budgets and personnel. In contrast, large enterprises typically show a higher degree of preparedness, due to bigger budgets and dedicated compliance teams,” she continues.
“These firms typically engage in extensive training programmes, hire legal and regulatory experts, and implement advanced technological solutions to meet regulatory standards effectively.”
For those finding themselves in the earlier stages of preparation, unfortunately, “if you haven’t started yet, you’re already too late”, asserts Rayna Stamboliyska, CEO at RS Strategy and digital EU ambassador for the European Commission, in conversation with FinTech Futures.
The Paris-based consultancy partners directly with clients to implement DORA. And while Stamboliyska has extensive experience with similar EU regulations, including the NIS2 Directive, which took effect last year in an effort to harmonise cybersecurity standards across member states, even she describes DORA as “a different beast”.
But she also praises DORA’s clarity, stating: “It’s dense because it’s so specific, but DORA is very clear. You have timelines, you have requirements, you have controls and so on.”
By way of preparations to receive this remit, Stamboliyska shares her views that specific third parties, namely cloud and cybersecurity providers, already have initiatives thoroughly set into motion to ensure a warm welcome.
“I see that the majority of cloud providers already have the documentation in place for how each of their products comply with different parts of the regulation, and it’s the same for cybersecurity tools for clouds too.
“It’s very interesting because cloud providers appear to be among the first to have controls in place for both NIS2 and DORA.
“And it’s a very useful thing because that’s where it actually helps with operations, to do compliance without doing it in a way.”
‘Not just a technology problem’
For Tom Henshaw, EMEA head of platform go-to-market for financial regtech company Fusion Risk Management, the main stalling point in the advent of European regulators’ increased resilience focus, and specifically in the wake of DORA, is that firms erroneously believe it’s solely a technology issue.
“This is a business alignment problem with an understanding of technology, not just a technology problem to understand where your data is,” Henshaw explains.
“It’s about what data is used for and what the impact could be of denial of availability, communication, and resilience. This is a very intentional approach by the regulators.
“Resilience is all about the assumption that a cyber-attack will come to fruition, which they do, there’s no getting away from that. And no matter how sure a firm’s cybersecurity programmes are, the attacks will come to fruition.
“So DORA is really based on that assumption that the attack will be successful at some point.”
Henshaw stresses that the promise of service continuity could far outweigh the implementation costs incurred by firms in their preparations for DORA by means of reputational advantages.
These advantages, he explains, would not only extend to the end consumers, but also to third-party partnerships.
“Third parties will be less willing to work with you if you don’t take this seriously and learn how to manage supply chain risk,” he says.
While firms of all sizes have benefited from the growing prevalence of industrial connectivity, DORA now requires these connections to extend collaboration to achieve a resilient alignment in the face of inevitable security shocks and tremors.
There is undoubtedly a lot of ground to cover in achieving full compliance with DORA before January, and although preparations are bound to differ from firm to firm, all will find themselves subject to the same timely call to ditch the glitches. Because now, outages are out, and being resilience-ready is the new name of the game.
