The Digital Operational Resilience Act has entered into force: How should firms respond

Operational Resilience has been attracting ever-increasing attention from regulators in recent years. Whilst the FCA and PRA published a joint policy back in 2021, the European Commission had been sl


Operational Resilience has been attracting ever-increasing attention from regulators in recent years. Whilst the FCA and PRA published a joint policy back in 2021, the European Commission had been slightly slower in their response to the subject, in the form of the long awaited Digital Operational Resilience Act (DORA).

Initially drafted in September 2020 as part of the Digital Finance package, DORA was proposed as a means of harmonising the rules across the EU relating to ICT risk management, whilst also defining clear guidelines relating to Operational Resilience. Despite being a European-centric regulation, DORAs reach goes beyond Europe’s borders too. Financial entities outside of the EU, such as those in the USA, Switzerland and UK, who engage in the European marketplace fall under its jurisdiction.

Following its entry into force on January 16th 2023, firms must now start diverting their attention towards the significant book of work the regulation presents in order to ensure compliance by the 17th January 2025 deadline.

What this means for firms

DORAs final publication came with no surprises, and remained closely aligned to the draft published by the European Commission. As discussed in our previous article, the regulation’s focus is on creating a unified strategy to tackle ICT related risks across the EU, in particular, cyber threats, ICT infrastructure risk and the dangers posed by an ever-increasing reliance on 3rd party providers.

DORA consists of 6 distinct topics. The first three, Governance Related Requirements, ICT-Risk Management Requirements and ICT-Related Incident Reporting, are already detailed across frameworks currently in use, such as incident monitoring, detection and reporting requirements outlined in PSD2, or risk exposure reporting and risk management process documentation covered by CRD/CRR. Firms should already have in place many of the demands that these topics present. Here, the regulations intention is to consolidate the requirements that already exist and bring them under a single framework.

However, it isthe introduction of requirements around Digital Operational Resilience Testing, ICT 3rd-Party Testing and Information Sharing Arrangements, that will prose the most considerable challenge to firms in their compliance efforts. It is through these areas that DORA looks to create a new comprehensive framework to safeguard firms, and the ultimately the industry as a whole, from resilience-related failures and risk.

How firms should respond

Firms cannot afford to fall foul of the regulatory fatigue around Operational Resilience. Firms must be pro-active in their approach to DORA, as with less than 24 months until the final regulatory deadlines, there remains a considerable amount of work to be done to ensure compliance.

Having now officially entered into force, EU regulators will begin to define their expectations of both financial services institutions and the 3rd-parties providing them services. Delta Capita believe the next steps for firm’s centre around reviewing current procedures, and preparing for the immediate implementation of DORA, both internally and with their respective 3rd-party providers. In order to stay ahead of the regulatory curve, by the end of 2023, firms should ensure they:

  • Review their current ICT landscape and ICT risk management frameworks
  • Review the new requirements set by DORA, involving both internal and external stakeholders in the implementation of these new standards for all operations and services in scope
  • Review and prepare current ICT testing capabilities and corresponding management processes to be DORA compliant
  • Perform an overall review of Digital Operational Resilience and any outsourcing agreements

How can Delta Capita help?

Some of the new DORA requirements for firms in the EU will not have a significant impact on current operating procedures and processes, while others will require extensive planning, coordination, considerable investment and action. Delta Capita provide a compartmentalised offering, presenting clients with flexibility in their approach to addressing DORA. The regulation’s six focus topics are broken out into individual delivery workstreams, with the option to either seek support in only select delivery workstreams, or to receive comprehensive DORA coverage. Our team, led by former C-suite level banking executives boasting extensive Operational Resilience experience, scan each workstream to assess our client’s regulatory readiness in the focus area, before developing and executing a plan to ensure compliance. Our experts are also equipped with DC proprietary project accelerators and technology assets that adapt to our clients’ requirements to further accelerate delivery speed and ensure client organisations are always ahead of the curve.

Co-authors: Gideon Ezra (Senior Consultant), Connor Turner (Consultant) and Clay Bobeldijk (Senior Consultant).