DORA: Financial institutions must act now or risk non-compliance

The European Union’s incoming Digital Operational Resilience Act (DORA) was first published in September 2020 as part of the Union’s Digital Finance Package (DFP), with a clear objective of improving the digital resiliency of the entire financial system. Almost every type of financial institution (FI) across the EU will be required to ensure that their suppliers and their suppliers’ security controls meet resilience standards.

With political agreement reached for DORA reached in May this year, by late June European Parliament updated its procedure file on the proposed regulation, indicating that Parliament will consider the draft during its October 2022 plenary session.

We make nothing short of a big deal around ISO 20022 migration, the ESMIG migration is agenda-setting, we have only granted diligent attention to EBA CLEARING’s STEP2 migration to the continuous gross settlement mechanism, so why isn’t DORA being prioritised with equal fervour?

Financial institutions of all shapes and sizes, organisations throughout FIs’ supply chains (especially those designated as critical), will be impacted by the Act and must review and build robust strategies to manage resilience risks between themselves and suppliers. This will also lead to more numerous and stringent operational resilience demand on suppliers themselves.

A natural first step would be to evaluate what is already in place to help the institution meet the Act’s expectations. No matter the size of the organisation, the imminence of implementation dates mean that whatever can be done immediately should be prioritised – be it a gap analysis or investigating what an FI’s estate looks likes – rather than waiting to know what technical standards will be approved further down the line.

Having been under discussion at the European Commission for a significant period of time, the text of DORA has finally been agreed upon. The European Union’s efforts to supervise the space have historically focused on a base level of functionality across a mesh of rules that are too general for the sector. This resulted in national authorities reaching their own interpretation of the rules, which were superficial and lacked cohesion.

The inconsistencies led to duplicate sets of rules across regimes which have not only contributed to high administrative and compliance costs, but increased IT and resilience risks.

Regulators are motivated to craft a set of rules which harmonise this patchwork of standards and rules, to build a robust and consistent framework that can be implemented effectively. Various jurisdictions have been grappling with the challenge of managing risk to strengthen operational resilience, with some regions making more progress than others.

For instance, DORA will significantly extend definitions of risk covered by the EBA to include networks and any technology-dependent tools or processes. The Act will also mandate that financial institutions that are considered critical must implement threat-led penetration testing, a step further than low-threshold testing.

This framework is essential in the current and future world of digitised financial services, as international cloud providers, technical providers and large financial institutions themselves are all attempting to orient their strategy in a compliant and resilient manner.

The drastic rise of interconnected and interoperable systems adds to the pressure to reinforce resilience across the financial supply chain landscape. Initiatives such as the second Payment Service Directive (PSD2) or large-scale transformation as we have seen with TIPS or SEPA)underscore this interdependence, highlighting the need to ensure that all players in this ecosystem are sufficiently resilient and secure.

As a consequence of DORA, it may be that parties in the supply chain which were previously unregulated can now be expected to fall under the supervision of regulators.

Overlaying supply chain concerns is the potential for variations in operational resilience frameworks with other nations or regions, such as the UK. Both HM Treasury and the Bank of England recently published papers on their approach to Critical Third Parties (CTPs), with the central bank welcoming responses to the discussion paper until December 2022.

While it is likely that there will be overall similarity between the UK’s operational resilience framework and the incoming DORA, it would be prudent to prepare for potential differences between the two. Work should begin on addressing any differences sooner rather than later.

As financial institutions are increasingly moving their operations onto the cloud, and given the global presence of certain large cloud providers, there is also a need for them to consider how they would respond to technical failures by their providers which may impact services across entire countries or regions.

Tackling this issue of concentration risk is a significant challenge for financial institutions, and while regulators appreciate the scale of the project, FIs should look to technology providers offering multi-cloud solutions as partners to assist them meet these standards in keeping with the incoming deadlines.

Diversification of suppliers is likely to become an increasingly important factor for financial institutions which interact with these organisations, as they seek to ensure that they spread their dependence over multiple network providers. This is particularly important for disaster recovery scenarios.

Financial institutions are not only going to be weighing up the advantages of working with a number of providers, but also considering the value of working with providers that are diversified and resilient themselves.

In order to effectively diversify, institutions will need to allocate sufficient financial and human resource toward pushing DORA readiness to the top of the agenda.

Given the looming deadlines, it is surprising to see how few parties across the industry even recognise the Act. When the majority of the attendees at industry leading conferences such as EBAday will not recognise the term DORA, it is apparent that meeting the deadlines is not ranking high enough on decision-makers’ timelines.

DORA is not considered by all players to be a silver bullet for resolving operational resilience concerns. However, despite the possibility of DORA being viewed as another regulatory burden by financial institutions, the consistency that it enforces across the EU means that financial institutions can have greater confidence that their suppliers are meeting the necessary resilience standards.

This will have the effect of opening up the landscape to greater competition, where institutions can look further afield to more sophisticated suppliers and be reassured that the player is compliant. The desire to improve diversification for service providers by financial institutions will also encourage smaller players which have historically been pushed out the market by monoliths to gain a stronger foothold in the industry.

DORA can be traced to every facet of a financial institutions’ offerings. As a result, firms would be well advised to approach the rules in a holistic manner, giving careful attention to how every division and system will be impacted.

At first glance, this potentially makes for a daunting undertaking. Preparing for the incoming DORA rules will likely land with operations or risk management departments first and foremost, before being picked up by product departments. To achieve this comprehensive transition, it is essential that financial institutions are able to craft a strategy that will be adaptable with changing regulations into the future.

By working with the correct partners, future-proofing an FI’s operational resilience strategy is not out of reach. In fact, certain technology providers are acutely aware of burdens that legacy technology can place on an FI’s efforts to meet new compliance obligations, and are equipped to support the entire transition from an outdated estate, toward an agile and resilient architecture into the future.

Time is of the essence for financial institutions set to fall within DORA’s remit. Be it through performing thorough gap assessments to identify both internal and supply chain risk factors, or allocating greater resource to resilience efforts, the time to act is now. Thankfully, with a wealth of resources and technological expertise available to assist in the transition, firms can take the opportunity to construct a comprehensive and adaptable model for their resilience strategy.