Last Friday, the EU’s Digital Operational Resiliency Act (DORA) was implemented, bringing 22,000 financial institutions and their ICT service provider under stringent requirements to enhance IT resilience, manage risk and recover quickly from disruptions. We are now operating in the new era for operational resilience regulation.
DORA significantly extends the relationship between financial institutions and their technology suppliers. While medium and large business have been scrutinising supplier financials, stability, DR arrangements and cyber security status for some time, DORA imposes a regulated structure on top of that, with an expanded focus on incident management and recovery.
Key Opportunities and a Few Risks
Firms that see regulation as an opportunity to improve capabilities and manage risks across the ecosystem they are part of can improve customer trust and establish a competitive advantage.
This can include the way firms prepare for and prevent operational disruptions, mitigate cyber threats and enhance their overall operational resilience.
Meanwhile, there are some risks. Implementing new controls and processes can be costly, and themselves can risk disruptions to daily operations. Potential changes to DORA present further uncertainty around the requirements.
In particular, DORA and OpRes can be challenging in scenarios with high M&A activity, evolving organisation structures and culture clashes. It’s important for investors, board members and executives to keep an eye on this blindspot given the reputational risks of non-compliance in a newly ‘merged’ situation are high.
Financial Institutions can face fines of up to 2% of the total annual worldwide turnover, and Third-Party Providers can face fines of up to 1% of their average daily global turnover for each day of non-compliance.
Knowing Where to Start: Gap Analysis
We understand that many vendor firms are looking to understand gaps in their capabilities for DORA now that it is live. We have a ready to go solution that helps identify areas that may present immediate wins, including detailed gap analysis with references to legal obligations to assist firms clarifying their needs in-house.
For firms grappling with a multitude of spreadsheets to gather official reporting documentation, security or policy uplift to ensure compliance, we can assist firms with our partner network of services and solutions including Evelyn Partners, Cado Security, Risk Ledger and Authority Software.
Thanks to our early partners whose feedback was key to the development of our solution – Temenos, eXate, Formpipe and Trading Hub.
