DORA isn’t just about regulatory compliance; it’s a unified framework for ensuring businesses can adapt, recover, and thrive amid unforeseen challenges. DORA is a game changer in the depth that it requires ICT-providers, banks, and financial institutions to have a thorough understanding of the end-to-end supply chain and enhance the way they conduct Third Party Risk Management. (TPRM), explains Martin Davies, Audit Alliance Manager, Drata.
The European Digital Operational Resilience Act (DORA) came into force on January 17, leaving non-compliant organisations vulnerable to regulatory pressure, potential fines, and losing access to lucrative markets. Non-compliance with DORA carries substantial financial penalties that can amount to 2% of global revenue for the relevant entity. For critical third-party ICT service providers, fines can reach up to €5,000,000 for companies or €500,000 for individuals. That means having total visibility of your supply chain is critical, however, not all in-scope companies are up to speed in their preparations. For many ICT-providers in the financial services sector, DORA necessitates a significant change in their ways of working and managing risk.
The roadblocks and how to overcome them
Some entities are falling short when it comes to DORA for several reasons. Let’s look at the obstacles, along with advice on overcoming them:
Governance and accountability: the introduction of personal liability for directors marks a significant shift in the terms of cybersecurity and operational resilience and, as such, can be daunting for companies unused to such stringent regulations.
This can be mitigated by ensuring directors are well-informed about their responsibilities and the implications of DORA. Regular training and updates on regulatory changes can help directors stay compliant and reduce personal liability risks. Crucially, having the Board be involved in decisions that are made in relation to the organisation’s DORA strategy is a must.
Outsourcing: DORA emphasises that while activities can be outsourced, the risks associated with those activities cannot be. Companies must, therefore, manage and assess the risks associated with their third-party providers. This is not always as simple as it should be and can require lots of preparation.
Robust vendor risk management frameworks, built on thorough due diligence of third-party suppliers, ensuring they have adequate measures in place, is key. This framework should include regular audits, continuous monitoring, and clear communication channels with third-party providers. Tools can help centralise and analyse log data across various systems to identify unusual activities and address areas of non-compliance that may arise from third-party outages.
Vague regulations: financial institutions are well used to regulation, however, DORA’s are intentionally vague to encourage companies to interpret them according to their own business model. However, this vagueness can also make preparation more difficult.
Seek legal advice and leverage some of the guidance and workflow-automation provided by compliance tools to formulate an action plan for implementing activities that adhere to the rules. The relevant authorities will also provide advice concerning obligations, including incident reporting and ICT risk management.
Financial impact: complying with DORA will most likely involve spending on cybersecurity infrastructure and personnel. For smaller firms, that investment can prove a real obstacle.
Compliance tools can reduce the financial burden through automation while implementing the necessary controls without expensive consulting fees.
Skills gap: The demand for cybersecurity skills and experience is growing – and not always matched by the availability of skilled professionals. If you can’t get the right people on board, it is going to be hard to get ready for new regulations, such as DORA.
Address the gap by investing in training and development for existing personnel. At the same time, integrated compliance frameworks can leverage existing controls and data, reducing the need for more manpower and extra resources.
The long-term benefits of DORA
Once these obstacles are addressed, businesses will be ready to reap the benefits of DORA compliance.
Improved operational resilience: DORA ensures that financial institutions can withstand, respond to, and recover from severe operational disruptions, such as cyber incidents, natural disasters, or technical failures, which is crucial for maintaining the stability and trustworthiness of financial services.
Enhanced risk management: By assessing third-party risks, monitoring supply chains, and developing robust incident response plans, companies will become more skilled at identifying and mitigating risks, thus reducing disruption.
Trust and reputation: DORA compliance demonstrates a commitment to high standards of cybersecurity, building trust with regulators and stakeholders as well as peace of mind to customers. This boosts reputation and can potentially lead to new business opportunities.
Regulatory alignment: The unified regulatory approach to digital resilience reduces the risk of non-compliance penalties and ensures a level playing field for all organisations.
The ripple effect
DORA’s impact on regulatory frameworks, risk management practices, and organisational strategies has global implications. Financial institutions operating across borders will need to align their practices with DORA standards, leading to a more unified approach to digital operational resilience globally and a ripple effect across the global financial ecosystem.
Moreover, given the global nature of the third-party provider network, TPRM will be critical in managing risk across the supply chain. Financial institutions will need to conduct thorough due diligence on their third-party providers around the world, ensuring they have sufficient risk management measures in place.
Ultimately, DORA presents a significant opportunity to build operational resilience and enhance cybersecurity, reducing the ever-growing risks in an interconnected world. By overcoming some of the inherent roadblocks, financial institutions will be well placed to enjoy the associated benefits for the long haul.
