SFTS: Action needs to be taken on DORA, speakers say

Firms need to start their work on compliance with the Digital Operational Resilience Act (DORA) now, panellists at this year’s Securities Finance Times Technology Symposium said, noting that the industry is currently lacking awareness about it.

Diego Ballon Ossio, partner at Clifford Chance, began the ‘Exploring DORA’ panel with an overview of DORA. Scheduled to go live on 17 January 2025, full compliance with the regulation is expected by Q4 of that year. The level one text has already been published and reviewed, with the industry anticipating the second round of regulatory technical standards in the near future.

The regulation aims to tackle operational resiliency and enhance ICT management processes for financial institutions. Firms must assess their systems and network and identify which elements are important for their regulated and essential activities. If provisions from third-party vendors are deemed as such then they will be in scope of DORA, and institutions must ensure that these services are compliant.

DORA amalgamates a variety of current guidelines and ‘soft’ regulations currently in place in the EU, Ballon Ossio explained, creating a binding regulation that will apply without the need of specific implementation across all member states. As such, firms “are not starting from zero” — they should either already be engaging with, or aiming to engage with, the requirements. Similarly, Stuart Power, director of integration intelligence at Coliance, added that existing testing procedures, along with added third-party verification, will be able to be used to prove compliance with the regulation.

Although DORA applies to regulated financial firms, vendors will also be impacted. Ballon Ossio noted that, as a result, vendors may attempt to keep their products out of scope, but explained that financial institutions will ultimately be responsible for deciding the materiality of their contracts with these third-party providers. Power added that even vendors that are not directly in scope of DORA must meet requirements in order to serve financial institutions, and stressed that firms need to be working with vendors now to guarantee product compliance.

Power shared his “surprise” at the lack of conversation around DORA given its imminent implementation and the “hefty fines” in place for any shortfallings. He emphasised the need for industry collaboration, a sentiment echoed by Richard Colvill, managing partner at Consolo, who advised firms to join steering groups, embrace a collaborative approach and learn from previous regulatory implementations.

Power went on to highlight key areas that firms will need to consider as DORA comes into effect, the first of which is ICT risk management — the main focus of the regulation. Companies must ensure that their systems are resilient and learn from any previous incidents that they have experienced. Information and intelligence should be shared both within the institution and with others in the industry.

Vendor risks must be consistently monitored, with clear communication between third parties and financial institutions to ensure resilience for the latter. Operational resilience testing is also essential, conducted both internally and from third parties, strengthening resilience to both the market and targeted attacks. This will be a time-consuming process, Power warned, again emphasising the necessity of action from firms on this issue.

There are several ways that institutions can prepare for DORA implementation, Power said, including specialised training, a clear understanding of an organisation’s requirements, and the securement of data.

The panellists discussed the fact that while DORA is an issue for companies on a group level, the impact on individual businesses within that group will vary. Business leads must individually confirm their compliance, assessing which of their vendors and technology services are essential and explaining how operations would suffer without them. This information will need to be taken to a board level, with Colvill urging that business leaders must have their voices heard within the wider group.

Steve Sullivan, independent consultant, predicted that DORA will become another process that firms must go through, akin to know-your-customer and anti-money laundering checklists, by the time that the regulation comes into effect. Implementation “will be an educational process for many”, he concluded.