In the fast-paced world of capital markets, where operations drive the engine of global derivatives markets, a new regulatory tsunami is peeking over the horizon. DORA, the Digital Operational Resilience Act, is a piece of legislation that aims to reshape the landscape of operational resilience in the financial sector.
With it only being implemented in 2025, the feedback we have received from operations managers has been somewhat mixed. Some are gearing up for its impact whilst others are only hearing about it for the first time. With implementation still two years away and the financial sector already burdened with regulations, will add yet another layer of regulation actually enhance operational resilience? Alternatively, if it is needed, can organisations afford to potentially leave vulnerabilities unchecked for so long?
What is DORA, and why does it matter?
DORA is the European Union’s response to the ever-growing importance of operational resilience and will apply to all regulated financial firms operating within the EU. When we consider some of the events that have taken place within the past year, operational resilience has correctly been placed firmly in the spotlight, particularly in the context of digital operations.
It is important to note that DORA is a multifaceted regulation with several key provisions. This includes ICT risk management, incident reporting, testing for resilience, information sharing, and ICT third-party risk. It also applies to ICT third-party service providers, meaning that financial institutions will need to ensure that their third-party providers are also compliant with DORA requirements. It has a far reach and will take both time and effort to comply with its various requirements.
We look at some of the areas DORA focuses on and whether it can have the desired impact it is looking for:
DORA’s focus is all about strengthening operational resilience, which is the ability of organisations to withstand and recover from any and all disruptions. Improving operational resilience is paramount in today’s digital age, where finance and technology are inseparable. The concerns though are whether it will stifle innovation or possibly impose excessive compliance costs on organisations. It is also expected to lead to increased costs but the benefits are likely to outweigh the costs of compliance. With implementation only in 2025, will most firms already have sorted out all potential vulnerabilities, leaving DORA as an expensive box-ticking exercise? Only time will tell.
The digital realm is placed at the forefront of DORA and for good reason. It acknowledges the risks associated with information and communication technology and sets out comprehensive rules for managing them. With it being “digitally focused” though, there is the potential for other areas of operational resilience to be overlooked and not adequately addressed. Any potential gaps are cause for concern and an opportunity to be exploited. This could leave organisations with a false sense of confidence.
The regulation introduces a structured approach to incident reporting. Ensuring that major ICT-related incidents and cyber threats are promptly reported to the relevant authorities. These need to be reported to the relevant authorities within 72 hours, which is a significant change from current requirements. This could be challenging though. Firms will need to ensure third-party service providers also adhere to these requirements and may need to place their faith in them as they may not have full control over the third party’s incident response. Increased reporting may also have the undesired effect of inadvertently exposing firms to greater cybersecurity risks, as malicious actors look to exploit the disclosure of these vulnerabilities.
The act promotes a proactive stance toward risk mitigation by requiring financial entities to conduct digital operational resilience testing. This means regular stress-testing of systems ensuring that they can withstand adverse events. This will be expensive though and there may be a worry about the cost-effectiveness of these measures, especially if budgets are constrained. The allocation of the resources required for this, both human and financial, could place an even greater strain on an organisation’s overall operations budget.
Conclusion: A regulatory conundrum
Whilst DORA was published in the Official Journal of the European Union on 27 December 2022, it’s set only to take effect on 17 January 2025. Its impact does extend beyond its effective date though, as the European Commission has been tasked with conducting a review by 17 January 2026. This review could lead to strengthened requirements for statutory auditors and audit firms regarding digital operational resilience.
If you’re part of the Capital Markets, then you must start preparing. It will result in bolstering operational resilience, heightening digital vigilance, underscoring the importance of collective security efforts and being prepared for any future stringent requirements. But at what cost? With budgets getting ever smaller and an implication date over two years away, will organisations look to kick the can down the road and concern themselves with the here and now instead? This year has shown that vulnerabilities are very much prevalent and need to be dealt with immediately.
We believe that if you have the budgets and resources available now, then implement it and get ahead of the curve. If resources are limited, draft up a plan as to how you are going to get there and start working through the requirements one by one.