Understanding DORA: Building a compliant technology strategy

Guest post by Mark Cockerill, Vice President of Corporate, M&A, Securities and International Development at ServiceNow.

The Digital Operational Resilience Act (DORA) is a new binding and comprehensive regulatory framework for ICT risk management and digital operational resilience in the EU, which seeks to harmonise the rules, but will fundamentally change the regulatory and compliance landscape for banking and financial services across Europe.

DORA introduces new requirements in multiple areas as part of establishing the wide-ranging digital resiliency framework, from enhanced risk management to testing, reporting, and third-party ICT service provider oversight. Moreover, it requires robust ICT risk management with board-level oversight, enhanced policies, procedures, systems, testing and training.

Coming into force from January 17, 2025, DORA has a broad scope covering a wide range of financial services entities, including banks, investment firms, insurance companies and crypto asset providers. Compliance is mandatory, meaning Irish financial services organisations must implement the new rules by the above date or risk unwanted penalties. Penalties for breaches of DORA can amount to a percentage of annual worldwide turnover. Individuals in senior management could also be subject to penalties.

It may seem like yet another wave of both burdensome requirements in an already heavily regulated industry, but DORA actually presents a valuable opportunity for forward-thinking organisations. In a time of increasing cyber risks, DORA puts raising ICT risk management standards on a clear and consistent legislative footing, which should serve to strengthen IT security and resilience in the European financial services sector – meaning everyone ultimately benefits. Fully realising these benefits and meeting these requirements though needs a holistic technology strategy that weaves resilience into an organisation’s fabric —the challenge lies therein.

The impact of DORA on finance organisations

The last number of years have seen an irreversible trend in financial services towards digital adoption and evolution. Online banking, digital payment systems, and remote identity verification have transformed the sector. It’s unsurprising, then, that according to European Investment Bank research, 62% of large financial service firms took steps to improve digitalisation in 2022. On the one hand, this evolution is positive, with digital services comes added convenience and intuitiveness that can improve customer experience.

On the other hand, digitalisation opens financial services organisations up to myriad advanced cyberattacks. In fact, SecurityScorecard reports that 78% of Europe’s largest financial institutions experienced a third-party breach in the past year. To combat this threat, regulatory bodies in the EU work with organisations to strengthen security– and this is where DORA comes into play.

DORA requires organisations to understand and demonstrate operational resilience in a transparent, measurable way. The specific requirements of the act place emphasis on robust risk management, regular testing and continuous monitoring as crucial components of digital resilience.

Embedding the concepts correctly in the right end-to-end technological platform and matrix should help entities continue to both digitally transform and to continue to expand their increasing suits of digital products, but also do so in a way to pre-emptively satisfy and meet the regulatory protections that need to surround them.

The role of technology in supporting compliance

Successfully boosting operational resilience requires the right technology investments. DORA will require financial institutions and in-scope companies to be able to demonstrate, among others:

A centralised framework for enterprise-wide information and communication technology (‘ICT’) risk management;
The ability to report ICT incidents in accordance with prescribed timelines;
The ability to proactively manage third-party risks;
Regular testing to evaluate the effectiveness of measures to ensure operational resilience; and

The ability to easily share information between critical functions of the company responsible for provision of financial services

Many financial services organisations are already making strides in these areas—specifically when it comes to cybersecurity. According to ServiceNow and ThoughtLab research, two-thirds of firms in EMEA, Asia Pacific, and the United States have already made cybersecurity a top investment area. As a result of these risk management initiatives, around six out of 10 firms cite reduced costs and higher profitability. Despite this, work still needs to be done.

The same research shows that 39% of financial services leaders see the lack of an integrated platform to view operational risks as a challenge to business resilience.

With DORA stipulating that companies must proactively manage third-party risks, financial services organisations must obtain a clear, unobstructed view of end-to-end operations. Only then can they spot and react to risks in real-time.

Proper technology tools and integration should not only facilitate this greater transparency, but also still fuel capability to innovate and create, as the core balance to continue to grow and launch new services and products and maintain compliance and protection, is essential.

How to implement the right technology

Achieving a holistic view and meeting the DORA requirements requires a well-thought-out platform approach. This platform should, at minimum, provide:

Connected intelligent insights and data;
A backbone for informed decision-making, connected conversations, and operational resilience; and
Clear information flow to enhance employee experience and customer experience

The best way to offer all of these features is through platform modernisation. Operating on disparate legacy systems or outdated, manual processes is no longer feasible. Any system that allows risks to fall through the cracks—whether due to human error or processing delays—risks efficiency and regulatory compliance.

A more resilient future with technology

Implementing a platform-based approach can help financial services organisations improve operational efficiency and stay flexible and compliant in the face of constantly changing regulations. By putting transparency and resilience at the forefront of the financial services agenda, DORA emphasises the need for this kind of technology, as well as seeks to harmonise requirements to maintain consistency across the single market.

This is not legislation to begrudgingly adhere to; or legislation for the sake of it; it’s an attempt to address the most critical risks that can impact security and trust in our financial system. It is onerous and not straight-forward for certain, but the goal towards greater resiliency in the sector is laudable. Certain organisations, who leverage wider technology capabilities to strive not just for compliance, but contemplate the roadmap and evolution into the future, have a real opportunity to distinguish themselves from the pack.

Find out more about the technology solutions that can support operational resilience in financial services organisations.

 

See more stories here.