The EU’s Digital Operational Resilience Act (DORA): A New Era for Financial Institutions
As of January 17, 2025, the European Union’s Digital Operational Resilience Act (DORA) has officially come into force, marking a significant milestone in the regulatory landscape for financial entities. This regulation is designed to bolster the resilience of financial institutions against disruptions to their Information and Communication Technology (ICT) infrastructures. The European Supervisory Authorities (ESA) have made it clear that compliance is not optional; financial entities must adhere to the stringent requirements set forth by DORA without any transitional period.
Addressing Critical Risks
The introduction of DORA has been met with enthusiasm from many industry practitioners who recognize the urgent need for regulators to tackle the evolving risks faced by financial institutions. Wayne Scott, Regulatory Compliance Solutions Lead at Escode, emphasizes that the financial sector has been grappling with a critical gap in managing newly identified risks, including supplier failures and service deterioration. He argues that while cybersecurity remains a priority, there is a pressing need for financial institutions to elevate the ownership of these risks to senior management levels.
Scott points out a common misconception among financial institutions: the belief that the resilience of Software as a Service (SaaS) solutions is solely the responsibility of the supplier. This misunderstanding, coupled with unclear ownership structures, has left many in the European financial services sector without robust exit plans for critical services.
Compliance Challenges
Despite the positive reception of DORA, many practitioners have expressed concerns about the complexity and ambiguity of its requirements. Research conducted by the Business Continuity Institute (BCI) has highlighted that some financial entities are struggling to interpret the regulations effectively. Feedback from regulators has often been insufficient, leaving many organizations uncertain about how to proceed. Additionally, the reporting requirements have been criticized for diverting resources away from incident resolution, creating an environment where compliance becomes a burden rather than a facilitator of resilience.
Shana Micallef, Security Governance Manager at APS Bank plc in Malta, notes that while her organization has successfully conducted gap analyses across all pillars of DORA, challenges persist, particularly in implementing Vulnerability Assessments (VA). The complexity of systems and the evolving nature of vulnerabilities make frequent scans and remediation efforts a daunting task. Micallef emphasizes the need for a structured, risk-based approach to compliance, prioritizing remediation activities based on criticality.
The Burden of Third-Party Risk Management
One of the most significant challenges posed by DORA is the management of third-party risks, particularly for smaller organizations. These entities often lack the resources to meet the demands of the new framework, making compliance a daunting task. Many smaller suppliers are either unaware of the new regulations or find the cost of compliance prohibitive. This has led some smaller organizations to opt out of working with financial services altogether, while larger suppliers may be slow to provide the necessary compliance information.
Michelle Cardona, Senior Operational Resilience Manager at APS Bank plc, echoes these sentiments, stating that navigating the complexities of compliance has been an ongoing challenge. Conversations with third-party providers are often fraught with difficulties, complicating the compliance landscape further.
The Road Ahead
Despite the challenges, the ESA has indicated that supervision of DORA requirements will be conducted in a risk-based manner. This means that organizations that demonstrate good faith efforts to comply and maintain open communication with regulators may mitigate potential penalties for non-compliance. However, the stakes are high; organizations that remain unprepared risk facing significant fines and reputational damage.
Looking to the future, experts believe that the scope of DORA may expand, necessitating further enhancements in operational resilience against ICT-related disruptions. Wayne Scott warns that the current focus on DORA compliance has yet to encompass the resilience of fourth and nth-party providers, leaving a critical vulnerability unaddressed.
Conclusion
As DORA takes effect, financial institutions across the EU are at a crossroads. The act represents a significant step toward enhancing operational resilience in the face of evolving digital threats. However, the path to compliance is fraught with challenges, particularly in the realms of third-party risk management and the interpretation of complex regulations. As organizations strive to meet DORA’s requirements, they must prioritize their highest risk areas and critical functions, ensuring that they are not only compliant but also resilient in an increasingly digital world. The journey toward operational resilience is just beginning, and the financial sector must rise to the occasion to safeguard its future.