“How did you go bankrupt?” asks one of the protagonists in Ernest Hemmingway’s novel, The Sun Also Rises. “Two ways,” comes the reply. “Gradually and then suddenly.”
This memorable response could also describe how failure to prepare for Europe’s Digital Operational Resilience Act (DORA) is likely to damage the business prospects of fintechs.
The end-result may not be as drastic, but the chances of a loss of reputation and fall-off in new business must be rated highly.
Ignoring DORA will not necessarily have a detrimental effect on 17 January 2025, the date the regulation fully comes into force. The process will be slower, and longer, and may have already started.
Many firms are hoping they are not in scope, putting faith in uncertainties around DORA’s proportionality clauses, its criterion for critical suppliers, its incoming technical standards or other unfinished business.
You could be lucky. After all, the European supervisory authorities’ (ESAs) first pass at estimating the number of impacted direct and indirect suppliers identified a mere 20,000 firms. It’s also the case that major suppliers – cloud service providers, data centres, data analytics providers – will gain most of the attention of the enforcement authorities.
But is hope really a strategy or just putting off the inevitable? If you are third-party provider of information and communications technology services (or ICT TPP) to financial services firms, DORA will impact you – and sooner than you think.
At heart, DORA recognises that operational resilience and cybersecurity are universal responsibilities. The delivery of financial services in the digital age rests on the strength of the weakest link. Cyberthreats will find their way through any open back door. That’s harder if we all play by the same rules, as DORA demands. Firms that fail to demonstrate their willingness to play their part will fall by the wayside. Gradually, then suddenly.
Take four
Not convinced?
The first and most obvious point to make is that financial services firms trading in Europe will stop working with fintechs that cannot demonstrate DORA alignment, because their own licence to operate depends on it. They cannot risk the fines – the higher of €10 million or 2% of the total worldwide annual turnover – and are combing their supply chains for cast-iron proof of the necessary standards of operational resilience. They are drawing up their internal governance and controls frameworks for managing ICT TPPs, re-evaluating their incident-handling and information-sharing procedures, sending out questionnaires and launching contract remediation projects to ensure their suppliers are in order. DORA’s third-party risk management requirements force finance sector firms to build data accessibility, integrity and security into their contracts – also giving regulators the power to terminate non-compliant arrangements. Further, working in non-traditional and fast-moving sub-sectors will not shield fintechs from DORA’s influence: crypto-asset service providers, crowdfunding platforms and other non-traditional entities are in scope.
Secondly, one way in which DORA makes clear that operational resilience and cybersecurity are everybody’s responsibility is through the testing requirements that reflect the reality of myriad linkages in the ecosystem of digital finance. DORA requires in-scope firms to conduct regular, thorough and far-reaching testing programmes in recognition of the dependencies between customers and suppliers. Fintechs will need to deepen those relationships, participating in ongoing testing programmes in a seamless and supportive fashion. You will no longer remain outside the walls of your clients; you will be in and out of its portals, virtually, all the time; if indeed you are not already. But you will only be allowed in if you’ve taken the necessary hygiene measures.
Third, not only will your customers look at you differently in post-DORA world, so will your suppliers. A number of the ICT TPPs identified by DORA as critical to the operational resilience of the finance sector – such as cloud service providers and data centres – are also essential suppliers to many fintechs. These infrastructure providers will not wish to jeopardise their valuable relationships with top-tier banks and insurers by giving rack space to firms that cannot prove they take operational resilience and cybersecurity seriously. Ignoring DORA could mean that you get ignored too.
Fourth, the excuse that you are not based in Europe and do not serve European clients might buy time, but how much is open to question. European law typically expands in two ways. Its requirements spread over time from those with the largest European footprint eventually to those with any. In theory, it is conceivable that you can grow your fintech business successfully by serving clients that have no European presence, using tools and services from suppliers that are similarly isolationist.
But because of Europe’s acknowledged leadership as a regulatory superpower, other countries will over time ‘cut and paste’ measures which more or less replicate the originals, especially when they are a harmonisation of existing best practice as is the case with DORA. With its strong tradition of finance sector regulation, the UK will forge its own path, having already laid out clear requirements for outsourcing relationships and other aspects of operational resilience. And while DORA’s testing regime will stretch firms already compliant with the current requirements of the Financial Conduct Authority, it’s likely that future UK/EU approaches will evolve in parallel.
False hope
It would be unwise for any fintechs to take false hope from a lack of action to date from their own client base. As noted above, the lights are not going to go out on 17 January, because the finance sector itself is still not ready for DORA. A recent survey of almost 400 finance sector firms conducted by the Luxembourg Financial Sector Supervisory Commission (CSSF) found that 71% of firms regard themselves as only partially prepared. With two and a half months to go, they are ramping up their efforts. Unsurprisingly, contractual negotiations with ICT TPPs was the top challenge facing firms, cited by 54% of CSSF respondents.
Further, the regulatory framework is not yet ready. As we know, regulation is a process not an event. The ESAs only submitted their final report on draft technical standards on subcontracting in July – and are at odds with the European Commission over the details of a register of finance firms’ contractual relationships with ICT TPPs. In addition, it not yet clear exactly how third-party risks management requirements will evolve, in terms of the expected tightening of assessments and reporting obligations. But the current absence of certainty should not justify inaction when the direction of travel is so clear and comprehensive.
After all, DORA is just one plank of Europe’s efforts to fortify itself against operational resilience risks and cybersecurity threats – alongside the Network and Information Security Directive and revisions to the Payment Services Directive – as part of the Commission’s multi-sector Fit for a Digital Age programme. As noted above, other governments will adopt similar initiatives.
While it may be possible to fly under the regulatory radar in the early stages, why take the risk? If you have ambition for your firm, you will want to deliver top-quality services to the firms that are already at the top of the tree, or getting their fast.
Gradually or suddenly
Putting off a compliance project is understandable, but DORA should be seen as more than that. Aligning your model and strategy with its vision of operational resilience for the finance sector is a key to future success, not a burden to your business. Further, tools like The Disruption House’s essential DORA Readiness Assessment service offer a quick and effective way to assess your current DORA compliance standing and track your progress, enabling you to focus on strengthening all-important client relationships.
In our digital age, operational resilience and cybersecurity are seen as a hygiene factor in the finance sector. But DORA shows that policymakers globally recognise its far-reaching importance as a cornerstone of a functioning economy and national security. Getting with the programme is essential. You might not notice the downsides to inaction immediately – but they will make themselves felt, gradually or suddenly.
