Wayne Scott, Regulatory Compliance Solutions Lead at leading software escrow company, Escode, delves into the Digital Operational Resilience Act (DORA), exploring the key challenges financial organisations are facing and what they can do to prepare themselves for the upcoming legislation.
With just three months to go until the enforcement of the Digital Operational Resilience Act (DORA), the clock is ticking for those financial services organisations operating in the European Union. Businesses that do not comply could face serious consequences, including fines of up to 2% of global daily revenue and potential personal liabilities such as fines or jail time for executives, so thorough preparation is crucial.
So how ready are organisations for DORA, and what challenges might be facing them on the road to compliance?
DORA: A new era in financial regulation
DORA isn’t just regulation; it’s legislation. This distinction underscores the European Union’s intent to enforce it with absolute rigour, addressing growing concerns around third-party risk. DORA advocates for the inclusion of stressed exit plans in all ICT third party license agreements to prevent supplier failure majorly disrupting the financial service sector.
As financial institutions increasingly rely on external tech providers, the threat of a single point of failure has never been more pertinent. Recent high-profile global tech collapses have shown just how vulnerable the system is, making DORA’s focus on digital resilience timelier than ever.
The financial landscape is already turbulent, made fragile by ongoing issues such as rising global borrowing costs. So, the last thing financial services need is more risk exposure from poorly managed third-party relationships.
How does the regulation stack up across the globe?
While DORA is the EU’s latest regulation, it’s not just European companies that need to pay attention. Interest in DORA is rapidly growing in the US and UK, particularly among companies with significant EU operations. Yet, many non-EU firms are still unsure whether they’ll fall under DORA’s rules.
Adding to the pressure is the looming deadline for the UK’s SS221 regulations, coming in March 2025. The overlap between DORA and SS221 has left many organisations frustrated, facing compliance with not one but two significant regulatory frameworks.
Globally, DORA represents a new chapter in digital resilience. While the EU is leading the charge, the rest of the globe is following very closely behind.
Despite the growing urgency for robust third-party risk management, many organisations remain alarmingly underprepared for DORA’s implementation. In fact, a recent report commissioned by Escode in collaboration with international research organisation CeFPro, revealed that only 20.8% of financial professionals report having stressed exit plans in place within most of their third-party agreements, including software suppliers.
These figures indicate that many financial institutions still have considerable work to do in preparation for DORA. With the new legislation set to take effect from January 2025, it’s important to look at the challenges facing businesses when it comes to ensuring compliance.
The risk of overconfidence
A common pitfall for large institutions is assuming they are DORA-ready. Many discover major gaps when they conduct deeper assessments, particularly in areas like third-party escrow agreements, which can take months to finalise. This becomes even more risky when organisations lack clarity on the penalties for non-compliance.
So, in the lead up to DORA, organisations need to build a defensible position. While complete compliance by January 2025 may be a long shot for many, organisations can start to demonstrate progress. A clear roadmap, identifying regulatory gaps and planned actions for improving processes, could make all the difference in helping the financial sector to prepare for the changes.
Navigating ambiguity
There’s currently a lack of clarity around whether critical third-party providers will be directly regulated under DORA. Many tech companies, who are often blindsided by regulatory updates in the financial sector, are also ill-prepared for the many compliance requests about to come their way.
The cost of compliance is another challenge. As reactive compliance kicks in, companies are discovering that ticking all the regulatory boxes isn’t just time-consuming—it’s expensive. Many are scrambling to implement reactive solutions, which only add layers of complexity.
What’s really needed is standardisation – a clear path that helps third-party tech providers understand and meet regulatory expectations. Until that happens, confusion will remain a barrier for both financial businesses and tech providers alike.
What should organisations do now?
With only months left until DORA comes into play, its clear organisations need to act now to ensure a smooth transition.
Here are key steps organisations can take to make the process of becoming DORA-ready as easy as possible:
- Mobilise cross-functional teams
Effective digital resilience requires collaboration, but in many cases, accountability is lacking. Some companies have assigned DORA compliance to legal departments, others to risk or IT teams. This often results in a fragmented approach to a problem that requires unity. Organisations need to mobilise cross-functional teams to tackle the challenge head-on and ensure a collaborative approach to risk management.
- Focus on supplier management
Equally important is supplier management. It’s not just about ensuring your direct tech providers are resilient—what about their providers? A key question every organisation should be asking its suppliers is: “What’s your stressed exit plan?” Proactive due diligence is critical, but it’s not happening fast enough. The message for C-suites is clear—get your teams together, assess the financial, contractual, and technical barriers, and act before it’s too late.
- Conduct gap analysis
Regular gap analysis will be a crucial tool in this process. Continual assessment of your current compliance status will not only identify areas that need attention but will also help shape the defensible position that could save you from regulatory pressures. This is key for taking a proactive approach to managing risks and regulation and can help to avoid challenges in the long run.
The countdown is on
Three months may feel like a lifetime in the corporate world, but when it comes to DORA compliance, it’s the blink of an eye. The message for financial services is simple: if you’re not already well on your way to compliance, you’re behind.
Now is the time to mobilise your teams, collaborate across departments, and prepare for the legislation. For the financial sector, DORA marks the beginning of a new regulatory era—one where digital resilience isn’t just a buzzword, but a non-negotiable imperative. The time to act is now.