Something we said? Don’t leave just yet!

For more information about latest events, news and insights, leave us your email address below.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form
Dismiss

Preparing for DORA: essential steps for financial institutions

With the deadline coming up fast, if you’re not fully prepared, now’s the time to tackle what DORA means for your institution and start taking steps to get ready.

John Gibbens
November 26, 2024

The Digital Operational Resilience Act (DORA) is on its way, landing on 17th January 2025, and it’s set to shake things up for the EU financial sector. This isn’t just another set of guidelines but a full-on regulatory framework aiming to bring all financial institutions—and their third-party providers—onto the same page in terms of digital resilience.  

The message from regulators is clear: it’s time for institutions to get more serious about preventing and handling digital disruptions. With the deadline coming up fast, if you’re not fully prepared, now’s the time to tackle what DORA means for your institution and start taking steps to get ready.

What does DORA mean for financial institutions?

DORA is not just about cybersecurity or ticking off a list of “to-do’s.” It’s about ensuring that all financial entities operating in the EU have a sturdy, cohesive approach to handling digital risks and disruptions. The regulation isn’t particularly prescriptive, either. Instead, it puts the onus on institutions to show they can maintain operational resilience no matter what. In other words, DORA says, “Here’s the framework—ensure you’re secure and resilient enough to handle whatever comes your way.”

This means financial institutions have to dig deep into their digital risk strategies, not just patch up surface-level issues. Everything from policy creation to ongoing monitoring and documentation needs a robust approach that demonstrates compliance.

Key requirements of DORA for financial institutions

One of the most crucial aspects of DORA is its emphasis on ICT risk management. Financial institutions must ensure that their ICT frameworks are resilient enough to withstand potential disruptions, and this requirement extends to third-party providers. Indeed, financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards.

For critical third-party service providers, independent audit certifications such as ISO 27001 and SOC 2 will be essential to demonstrate their alignment with DORA. Certifications like these help entities evidence compliance with DORA’s requirements and build trust with their clients. As financial institutions evaluate their third-party relationships, they may choose to prioritise partners who already demonstrate compliance with recognised certifications and operational resilience frameworks.

As DORA compliance evolves, the European Commission is considering standardised contractual clauses that would further streamline these requirements. Institutions should prepare to incorporate these clauses as they become available to facilitate smoother compliance with DORA’s regulatory framework.

DORA’s future impact: a more harmonised and resilient financial sector

For many financial institutions, DORA may feel like an additional regulatory hurdle. However, its harmonised approach offers potential advantages, including a more level playing field for compliance across the EU. In effect, DORA could encourage greater industry-wide collaboration, with entities sharing best practices and learning from one another to strengthen digital resilience collectively.  

Just as the EU’s General Data Protection Regulation (GDPR) set a global benchmark for data privacy, DORA aims to set a similar standard for ICT risk management, ultimately benefiting both financial institutions and their clients by creating a more secure digital ecosystem.

This harmonisation also addresses a growing area of concern: the resilience of cloud-based services. While financial institutions might feel confident in their own security protocols, risk often lies in the cloud infrastructure they rely on. DORA’s inclusion of third-party providers acknowledges this, urging financial institutions to ensure that their vendors and critical partners adhere to robust cybersecurity standards. By proactively managing third-party risk, financial institutions can mitigate potential vulnerabilities that could otherwise expose them to significant operational and reputational damage.

What’s next?

For financial institutions, the path to DORA compliance is clear but requires thoughtful preparation. The following steps can guide a smooth transition:

  1. Evaluate and enhance ICT risk frameworks: Ensure that your ICT risk management policies, controls, and procedures align with DORA’s standards.
  1. Assess third-party providers: Ensure the resilience of your critical third-party providers, prioritising relationships with those holding recognised certifications like ISO 27001 and SOC 2.
  1. Revise contracts for compliance: Where necessary, ensure contractual agreements cover DORA requirements, including performance targets, exit strategies, and audit capabilities.
  1. Prepare for standardised clauses: Stay informed about the EU’s efforts to introduce standardised contractual clauses and plan to integrate these as they become available.
  1. Document everything: Maintain comprehensive documentation of your compliance efforts, ready to demonstrate DORA alignment to clients, partners and regulatory bodies.

Preparing for a resilient future

DORA is set to shape the future of financial operations in the EU by making digital resilience a priority across the sector. With proactive preparation, financial institutions can not only achieve compliance but also strengthen their overall operational resilience. As we approach January 2025, now is the time to ensure your ICT infrastructure, third-party relationships, and risk management frameworks are aligned with DORA’s requirements. Institutions that act early will be best positioned to thrive in a more secure and unified digital landscape.

If your institution is seeking reliable, DORA-compliant solutions, it’s crucial to partner with providers who prioritise resilience and security. Make sure your solutions are equipped to handle DORA’s requirements, empowering your organisation to face the future with confidence.

Learn more about how to meet the EU’s regulation requirements in the Napier AI / AML Index. Get a transparent, explainable view on the cost of compliance on society and financial institutions, while highlighting AI’s potential to enhance AML effectiveness.

Photo by Liam Briese on Unsplash

John Gibbens
IT Governance Process Manager
What’s popular./
The Napier AI / AML Index 2024/25
Napier AI
October 29, 2024
How to choose AML vendors to increase compliance productivity
Mariya Pattara
September 26, 2024
Napier AI response to the US Treasury consultation on AI in financial services
Napier AI
August 22, 2024
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept