Now is the Time to Prepare for January 2025 DORA Compliance Deadline

Rich Cooper, Global Head of Financial Service Go-To-Market at Fusion Risk Management.

The Digital Operational Resilience Act (DORA), which is designed to consolidate and upgrade Information and Communications Technology (ICT) risk requirements and sets out a common set of standards for mitigating risks, takes effect across the EU in January 2025. The legislation covers a broad range of financial institutions, requiring them to ensure they can withstand all types of ICT related disruptions and threats. It also introduces an oversight framework for critical third-party providers, such as cloud service providers.

In this Q&A, Fusion Risk Management’s Rich Cooper provides guidance on how to approach DORA compliance and explains why financial institutions should be taking action now to meet the January 2025 deadline.

Q: How should financial institutions strategically approach DORA compliance to satisfy technical requirements ahead of the deadline?

A: DORA is built on five core pillars that address different domains across ICT risk management and cybersecurity to provide a comprehensive framework for the EU financial sector. It establishes regulatory guidance and a roadmap to help organisations achieve resilience by identifying, assessing, mitigating, and managing critical risks that may impact their core business functions.

Now that we are just one year away from the 17 January 2025 deadline, it is time for organisations to get serious about their compliance and resilience initiatives. Organisations should not look to simply ‘check the box’ for DORA compliance – they should view DORA as an opportunity to align disciplines such as information technology disaster recovery and third-party risk management, and create a framework to enhance their overall approach to resilience.

By creating a robust digital operational resilience strategy across the entire organisation, firms will ensure they are meeting evolving regulatory requirements and digital resilience expectations from regulators, customers, and stakeholders for years to come.

Q: How can organisations leverage compliance to build long-term value with a cross-functional approach?

A: DORA requirements impact stakeholders across the organisation. The regulation places the financial institution’s management team in charge of defining, approving, and overseeing DORA compliance. However, the actual programme execution will require additional commitment and buy-in from other functions, including disaster recovery, third-party risk management, crisis management, incident response, business continuity, compliance, and legal teams. Without a cross-functional approach from the start, organisational silos can arise that will make it challenging to engage with the individuals and teams that are required for success.

Organisations should evaluate where they are on their digital operational resilience journey as well as review existing practices to identify disconnected functional areas and gaps that must be improved for compliance. By enhancing their best practices and establishing group-wide processes within business units, they will deliver long-term value that goes beyond compliance to achieve true operational resilience.

Q: Why must organisations begin preparation today to meet the DORA compliance deadline before the final specifications are announced in the second half of the year?

A: Although we are still waiting for some final details, financial institutions must start their DORA preparations today if they haven’t already. The EU has already laid out the five pillars of DORA compliance: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk, and information and intelligence sharing. These pillars will not change before the January 2025 deadline, so organisations must begin working towards compliance today.

All Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) specifications will be released in the second half of 2024. If an organisation waits until then, it will likely be racing against the clock to implement the needed processes and procedures. Now is the time to finalise your digital operational resilience strategy and gather the necessary buy-in to ensure that your organisation can meet the final compliance deadline.

Q: How does the regulation differ from established operational resilience regulations?

A: DORA was developed to strengthen compliance efforts across the EU and combine several existing regulations into one cohesive rule. Some firms may already meet aspects of DORA’s requirements through their compliance programmes with existing regulations, such as the European Banking Authority (EBA) guidelines on ICT and security risk management.

While DORA requirements can be coupled to broader operational resilience objectives around important business services, DORA is a transformative regulation compared to some others that we have seen in the way that it extends resilience expectations to ICT third-party providers. Ultimately, DORA’s framework will improve the resilience of interdependent organisations, increase the strength of financial services’ supply chains and the broader ecosystem, and enhance the objectives around broader organisational resilience strategies and regulations.