The Digital Operational Resilience Act (DORA) is on its way to becoming enforceable, and experts are warning it is time to take stock and prepare for a significant change in risk management.
In the lead up to the implementation of DORA becoming enforceable on January 17, 2025, compliance functions at companies across the EU are likely to be paying the act close attention.
"DORA is designed to be a step change in the way that firms look at destructive events. It should have an impact on a wide range of business-as-usual activities,” indicated Will Finn, senior manager at fscom.
DORA's requirements will inevitably be a rough ride for compliance professionals, with the EU introducing a prescriptive regime.
Firms will need to review and increase the resilience level of their current information and communication technology (ICT) landscape.
They will also need to review and update their internal policies, procedures and governance.
Additionally, the management body has to be involved to define, approve, oversee and ultimately take ownership of this.
DORA requires firms to deliver an ICT-related incident management process to detect, track, log, categorise, classify and notify ICT-related incidents, as well as ensure that any outsourcing arrangements comply with the regulation.
“It is an attempt by regulators to drive maturity, and the aim is that firms should work through this as a step change in how they're prepared in regards to risk management and threats the firm specifically faces where vulnerabilities exist,” Finn said.
Jessica Ramos, head of regulatory, oversight and financial affairs at EBA CLEARING, explained that the industry is currently in the preparatory phase for DORA. “PSPs will have a lot of groundwork to do to get ready.”
“We're talking about a huge scope of companies that they work with and a number of intermediaries that will need to be considered,” she said.
"After implementation, PSPs are going to have to report to authorities, and this regular reporting will likely mean additional resources being put into compliance roles, as well as in third-party and vendor management."
Impact on the payments industry
Although January 2025 may seem far away, there is a lot for firms to prepare and comply with.
“It is still early days but it is not difficult to predict a significant difference in business as usual,” said Simone Giordano, partner at De Matteis Law.
“Companies will need to implement an operational security strategy, including governance measures, incident reporting and testing platforms,” he said, adding that such a plan will probably need dedicated teams.
Payments and e-money firms have the added pressure of compliance with DORA alongside a new regulatory framework for the industry that specifically makes reference to DORA.
“A specific aspect of DORA is related to the interplay between DORA and PSD3,” noted Giordano.
Under the European Commission’s proposal for changes to the revised Payment Services Directive (PSD3), new authorisation is needed also for existing payment institutions and electronic money institutions that were authorised under PSD2 and the Second Electronic Money Directive (EMD2).
“The re-authorisation process will include demonstrating compliance with DORA,” said Giordano. “This means that it is a big piece for firms to comply with should they wish to continue with their business.”
It is a mistake to look at DORA as a single piece of legislation, commented Florian Reul, counsel and head of fintech Germany at Linklaters.
"It fits into a grander scheme of digital transformation in the EU, which is evident in other work such as PSD3 and Financial Infrastructure Data Access proposal which put data front and centre," he said.
"This will all become much more important, and DORA will play a central role for the authorities and relevant entities."
Biggest pain points
"The biggest pain point will be negotiating new contracts,” explained Raza Naeem, financial regulatory partner at Linklaters.
Naeem explained that this will be top of the agenda for many firms.
“Negotiating with service providers will be challenging and firms will have the burdensome process of re-doing their contracts,” he said, noting that complex organisations have thousands of these.
In the first step, he said that firms will need to be aware of what is in the contract and consider how to remap that.
Ramos agreed that for large and small payment service providers (PSPs), it will be creating a framework for compliance and implementing it that ends up being the greatest challenge.
"If you're a large PSP, you will have so many ICT providers and it will be challenging managing all of these," she explained.
"As a compliance professional, you will have to consider every single provider that falls into scope. Once you have this list, how will you get the changes into the contract and how will you get them to agree?"
As a regulatory requirement, this will need to be undertaken, and it will take a long time to negotiate these contracts, she warned.
"If I was working on the rollout, I would be sourcing the information needed for assurance."
Ramos explained that this could be applied in a similar way to the Swift customer security program.
This was established by Swift to help financial institutions ensure their defences against cyberattacks are up to date and effective, helping to protect the integrity of the wider financial network.
Users compare the security measures they have implemented with those detailed in the Customer Security Controls Framework (CSCF), before attesting their level of compliance annually.
"Each provider fills out a form with different levels of compliance," Ramos said. "This is probably the best and easiest method to be prepared for compliance."
Firms should strengthen testing capability
Finn, meanwhile, suggested that testing would be the greatest challenge.
"There are specific requirements around scenario testing," he said. "I think firms have been thinking about this for a long time and appreciate that current testing procedures need to be beefed up."
Have firms tested sufficiently yet though? Finn does not think so. "This is a real area for firms to focus on."
"It is a new way of thinking," he explained. "Testing is not new, for example, EBA guidelines required testing of critical systems for some time."
However, the breadth of testing and the focus on broader operational threat scenarios is new.
"Firms need to understand what and why, and the proportionality to risk. This requires a different mindset from firms, and going forward will need to be considered as something that is firm-wide with plausible scenarios."
In spite of the increased compliance burden, Ramos did contribute reasons to be optimistic.
"DORA will result in a safer and more predictable ecosystem," she said. "There are currently many different frameworks to comply with and this regulation is expected to harmonise all of that.
"If standards in this area are aligned, this will be a very good thing for the industry and may ultimately save money for firms."