Digital Operational Resilience (DORA) – The Challenges of and Strategies for Compliance

As regulators continue to focus on bolstering the resilience of the financial system around the world, operational resilience remains a strategic priority. As the risk of Information Communication Technology (ICT) incidents continue to grow in frequency and severity, the EU aims to strengthen the IT security of financial services providers, (including credit, payment and e-money institutions, investment firms, crypto-asset service providers, fund managers, insurance and reinsurance undertakings, credit rating agencies and crowdfunding service providers), through the adoption of the DigitalOperational Resilience Act (DORA).  

DORA will be effective from 17th January 2025 and focuses on augmenting the operational resilience of firms by ensuring robustness in their ICT risk management capabilities, reporting and testing, and third-party risk monitoring. All impacted firms need to make sure they can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

This article covers some of the challenges companies may experience in implementing DORA as well as some of the strategies for effective compliance.

Challenges in Implementation

DORA requirements pose several challenges for impacted firms including:

• ‍The Complexity of Digital Ecosystems - Financial institutions operate within multi-layered digital ecosystems encompassing critical technologies, platforms, and vendors. Ensuring resilience across this landscape demands significant coordination and integration efforts.‍
• Legacy Systems - Complexity is increased by an often poorly understood patchwork of legacy systems, which may not align with digital resilience standards or the firm’s internal governance and control framework. Understanding, upgrading, and adapting these systems can be resource-intensive, costly, and time-consuming.‍
• Third Parties - Financial institutions often rely on third-party providers for critical digital services. Ensuring the operational resilience of these external partners (a fundamental principle of DORA) presents a unique challenge, as firms have limited control over their processes.‍
• Constantly Evolving Threats - Cyber threats and technological vulnerabilities are in a constant state of flux. Staying ahead of these risks and maintaining resilience requires continuous monitoring, updates, and adjustments.

‍

Strategies for Compliance

To navigate these challenges, financial institutions will need to adopt the following strategies:

• ‍Comprehensive Risk Assessment - Conduct a thorough assessment of your digital infrastructure to identify vulnerabilities and potential points of failure. Implement an internal governance and control framework to ensure the effective and prudent management of ICT risk, prioritising areas that pose the highest risk to the business and customers.‍
• ICT Incident Reporting - Establish appropriate procedures and processes to ensure consistent monitoring, handling, and reporting of ICT-related incidents. You must document all incidents, ensuring root causes are identified and addressed to prevent the reoccurrence of such incidents.
• ‍Continuous Monitoring and Testing -Implement a proactive approach to monitoring and testing your digital systems. Regularly simulate potential disruptions (e.g., cyberattacks, technology failures) to evaluate your institution's response and identify areas for improvement. Regulators expect testing to form an integral part of the ICT risk-management framework which itself should be reviewed on a yearly basis and must be submitted to the competent authority upon request.‍
• Modernisation of Legacy Systems - Invest in upgrading or replacing your outdated legacy systems to align with the DORA resilience standards. This may involve collaboration with technology partners and vendors.  Delta Capita offers unique technology mutualisation opportunities that could help drive resilience in this space.
• ‍Vendor Management - Establish robust vendor management protocols to ensure third-party providers adhere to the same level of digital operational resilience. Maintain an entity-level register of your contractual arrangements for ICT services and report changes at least annually to the competent authority. Performing regular audits, performance assessments, and contingency plans are also essential and should consider the nature, scale, complexity, and importance of ICT-related dependencies in accordance with the principle of proportionality.‍
• Skill Enhancement - Invest in developing the skills of your workforce to manage digital risks effectively. Training employees in cybersecurity, data protection, and incident response will enhance the overall operational resilience of your organisation.‍
• Collaboration and Information Sharing - DORA allows financial entities to exchange cyber threat information and intelligence.  You should engage with industry peers, external experts, and regulatory bodies to share best practices and insights. Collaborative efforts can lead to a more holistic understanding of digital operational resilience and foster a collective response to emerging challenges.

The DORA framework plays a crucial role in safeguarding the digital infrastructure of financial services. Impacted firms should have already started implementing DORA, engaging with external SMEs and resources where required. Similarly, third-party ICT providers should prepare for changes to existing contractual requirements with financial service providers.  

Its implementation poses challenges; with significant industry experience in operational resilience and DORA, Delta Capita are well-placed to help you meet the regulatory expectations of DORA and also enhance your operational resilience.

For more information, please contact us today.

‍

‍