About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

Now is the Time to Prepare for January 2025 DORA Compliance Deadline

Subscribe to our newsletter

Rich Cooper, Global Head of Financial Service Go-To-Market at Fusion Risk Management.

The Digital Operational Resilience Act (DORA), which is designed to consolidate and upgrade Information and Communications Technology (ICT) risk requirements and sets out a common set of standards for mitigating risks, takes effect across the EU in January 2025. The legislation covers a broad range of financial institutions, requiring them to ensure they can withstand all types of ICT related disruptions and threats. It also introduces an oversight framework for critical third-party providers, such as cloud service providers.

In this Q&A, Fusion Risk Management’s Rich Cooper provides guidance on how to approach DORA compliance and explains why financial institutions should be taking action now to meet the January 2025 deadline.

Q: How should financial institutions strategically approach DORA compliance to satisfy technical requirements ahead of the deadline?

A: DORA is built on five core pillars that address different domains across ICT risk management and cybersecurity to provide a comprehensive framework for the EU financial sector. It establishes regulatory guidance and a roadmap to help organisations achieve resilience by identifying, assessing, mitigating, and managing critical risks that may impact their core business functions.

Now that we are just one year away from the 17 January 2025 deadline, it is time for organisations to get serious about their compliance and resilience initiatives. Organisations should not look to simply ‘check the box’ for DORA compliance – they should view DORA as an opportunity to align disciplines such as information technology disaster recovery and third-party risk management, and create a framework to enhance their overall approach to resilience.

By creating a robust digital operational resilience strategy across the entire organisation, firms will ensure they are meeting evolving regulatory requirements and digital resilience expectations from regulators, customers, and stakeholders for years to come.

Q: How can organisations leverage compliance to build long-term value with a cross-functional approach?

A: DORA requirements impact stakeholders across the organisation. The regulation places the financial institution’s management team in charge of defining, approving, and overseeing DORA compliance. However, the actual programme execution will require additional commitment and buy-in from other functions, including disaster recovery, third-party risk management, crisis management, incident response, business continuity, compliance, and legal teams. Without a cross-functional approach from the start, organisational silos can arise that will make it challenging to engage with the individuals and teams that are required for success.

Organisations should evaluate where they are on their digital operational resilience journey as well as review existing practices to identify disconnected functional areas and gaps that must be improved for compliance. By enhancing their best practices and establishing group-wide processes within business units, they will deliver long-term value that goes beyond compliance to achieve true operational resilience.

Q: Why must organisations begin preparation today to meet the DORA compliance deadline before the final specifications are announced in the second half of the year?

A: Although we are still waiting for some final details, financial institutions must start their DORA preparations today if they haven’t already. The EU has already laid out the five pillars of DORA compliance: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk, and information and intelligence sharing. These pillars will not change before the January 2025 deadline, so organisations must begin working towards compliance today.

All Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) specifications will be released in the second half of 2024. If an organisation waits until then, it will likely be racing against the clock to implement the needed processes and procedures. Now is the time to finalise your digital operational resilience strategy and gather the necessary buy-in to ensure that your organisation can meet the final compliance deadline.

Q: How does the regulation differ from established operational resilience regulations?

A: DORA was developed to strengthen compliance efforts across the EU and combine several existing regulations into one cohesive rule. Some firms may already meet aspects of DORA’s requirements through their compliance programmes with existing regulations, such as the European Banking Authority (EBA) guidelines on ICT and security risk management.

While DORA requirements can be coupled to broader operational resilience objectives around important business services, DORA is a transformative regulation compared to some others that we have seen in the way that it extends resilience expectations to ICT third-party providers. Ultimately, DORA’s framework will improve the resilience of interdependent organisations, increase the strength of financial services’ supply chains and the broader ecosystem, and enhance the objectives around broader organisational resilience strategies and regulations.

Subscribe to our newsletter

Related content

WEBINAR

Upcoming Webinar: Best practices for regulatory reporting

Date: 16 July 2024 Time: 10:00am ET / 3:00pm London / 4:00pm CET Duration: 50 minutes Regulatory reporting is a repetitive, time consuming and expensive business. At its best it requires robust data governance, automated data collection and reporting, standardised reporting formats, a centralised reporting system and a means to monitor and review regulatory change....

BLOG

Commonwealth Bank of Australia Approved as LEI Validation Agent

The Commonwealth Bank of Australia (CBA) has become a Validation Agent in the Global Legal Entity Identifier System (GLEIS). It is the first agent in Australia and the second announced this month following the appointment of MNS Credit Management Group in Delhi, India. CBA’s approval as a Validation Agent comes ahead of a regulation update...

EVENT

Buy AND Build: The Future of Capital Markets Technology, London

Buy AND Build: The Future of Capital Markets Technology London on September 21st at Marriott Hotel Canary Wharf London examines the latest changes and innovations in trading technology and explores how technology is being deployed to create an edge in sell side and buy side capital markets financial institutions.

GUIDE

Regulatory Data Handbook 2023 – Eleventh Edition

Welcome to the eleventh edition of A-Team Group’s Regulatory Data Handbook, a popular publication that covers new regulations in capital markets, tracks regulatory change, and provides advice on the data, data management and implementation requirements of more than 30 regulations across UK, European, US and Asia-Pacific capital markets. This edition of the handbook includes new...