DORA is taking a seat in the board room
The EU’s new Digital Operational Resilience Act, or DORA, comes into force in January 2025, aiming to help financial institutions (FIs) and their partners become more resilient to a range of cyber threats. We welcome DORA because it will help to streamline regulatory requirements across many information systems for all kinds of FI – from major banks to FinTechs – at a time when risks are growing, from violent conflict to economic instability.
Some might see DORA as a hinderance to innovation, but that would be shortsighted. Instead, FIs should take a balanced, collaborative approach to implementing DORA that ensures the benefits of compliance outweigh the costs.
Greater security, more responsibility
Before DORA, financial institutions (FIs) managed operational risk by allocating capital – but were not responsible for all components of operational resilience. Once DORA is implemented, FIs and their partners will have to follow rules for protecting, containing and repairing their systems following cyber incidents – as well as detecting and managing risks, such as brute force attacks, fraud, phishing scams and more.
“Under DORA, financial institutions and their partners will have to standardize and co-ordinate their risk management approaches.”
The regulation applies to all FIs and their partners providing critical Information and Communication Technology (ICT) services. DORA will deliver enhanced cyber-security, better resilience and business continuity across the European financial ecosystem – and will be most effective when all players work together.
The cost of compliance is growing, especially for small FinTechs – and that affects the cost of creating and delivering financial services. However, by applying the same standards to all players in the financial ecosystem, DORA will cut the chances of a data breach from one player causing a more widespread “domino effect”.
“A balanced, collaborative approach will bring most benefit."
The smart approach to DORA
Compliance with such wide-ranging regulation doesn’t have to be complicated. To start with, most FIs already have some security measures included in their standard contracts. FIs should sit down with their partners to identify clear criteria for each area covered by DORA and a governance framework. Both the criteria and governance framework should be included in a fully transparent agreement that focuses on being as efficient as possible – which means straightforward processes that are easy to implement.
There should be no need for FIs to find their own interpretation or develop a unique set of requirements from their partners – most mature ICT vendors should have their own approaches and FIs should be able to find synergies between their approach and those of their partners.
“DORA will make ICT vendors more transparent and collaborative, which should lead to stronger and more productive relationships.”
DORA is likely to make ICT vendors more transparent and collaborative with their FI partners, which should lead to stronger and more productive relationships. Banks and service providers outside the EU that have business inside the bloc will also have to comply, strengthening the resilience of the world’s entire financial ecosystem. Furthermore, because DORA streamlines and harmonises ICT regulation across the entire financial sector, the roles and responsibilities of all players are clearer. Risks are easier to identify and manage when it’s clear where responsibility lies.
By bringing more structure and clearer guidelines, we expect DORA to improve business resilience and risk management processes across the financial sector. As a provider of always-on, fully-active banking and payments solutions that provide 100% system “up” time, we look forward to working with our current clients to deliver a more robust and secure financial ecosystem under DORA’s provisions.
For a discussion about your firm’s approach to implementing DORA, get in touch with Camilla Bjercke. Camilla is responsible for Tietoevry Banking’s efforts around DORA and can guide you further.