The enforceable deadline for DORA is now under a year away and organisations in the FS sector are in a difficult position. Preparing for any change in regulation is hard enough, but with the European Banking Authority yet to publish the final technical specification
or a list of critical IT providers, businesses are effectively still in the dark in terms of the detail.
Gambling by taking a ‘wait and see’ approach is unlikely to impress the regulator. However, if being fully compliant by 17th January 2025 is unrealistic, demonstrable progress and having a clear plan to meet all requirements within a reasonable timeframe
should mean escaping the harshest punishments.
In the absence of definitive technical guidelines, how can financial entities best prepare for DORA? For many, it will require going against conventional wisdom and accepting that DORA is primarily a business challenge and not just a technology issue.
Yes, it’s true that DORA is largely concerned with cybersecurity and cloud concentration risk. It’s also true that technology is a vital part of any compliance strategy. But security has become one of the most important issues for business leaders. A
2022 Gartner Board of Directors Survey found that 88% of board members classified cybersecurity as a business risk while just 12% called it a technology risk.
Taking ownership
I recently met with a customer that has been involved in a months-long argument between the IT department and the compliance team about who was responsible for DORA in their business. This argument has distracted both teams and neither are any clearer from
where they need to start from.
The reality is that the whole business needs to get behind it, and everyone in the organisation will have some role to play. This means a cultural change at every level and the recognition that flexibility will be important at a time of momentous change
for FS – similar cloud-related regulations will come into effect in other geographies and while new AI policies will also impact the sector.
Moving ahead
So, the business has collectively accepted they have an issue. What can they do to prepare?
Firstly, it is a case of identifying the key stakeholders and assigning clear roles and areas of ownership. Article four of DORA firmly places responsibility of compliance on senior management, meaning it is essential that it is on the C-suite agenda. These
key stakeholders should, in effect, create a working group responsible for delivering compliance as well as having a clear knowledge and understanding of the Act and the articles within it.
The next step is then looking at where an organisation already complies with DORA and identifying areas that will require change, investment, or development. Businesses may be surprised to find how much of it they are already doing right. But until you conduct
this exercise it will be impossible to know what requires investment, whether that is skills, procedures, policy, or technology.
These steps will pose a significant challenge for larger organisations which due to their scale can be very siloed. This is where nurturing the right culture will be essential. Working across silos on complex projects can be extremely difficult, particularly
when you bring together departments or business units that never normally speak to each other. But by opening that dialogue and understanding the challenges that each other are facing, they can learn how to help solve each other's challenges as well as their
own.
Gaining an edge
One thing that’s certain is that DORA will not be the last piece of major technology-focused regulation to trouble FS businesses in the next few years. But putting most of the transformation burden of at the IT department’s door is unlikely to result in
the smoothest transition.
Organisations that establish effective cross-department working practices and adopt the necessary cultural changes are likely to make light work of their compliance obligations. Numerous upcoming regulation changes could mean that perfecting the process
now could deliver an edge over less enlightened competitors.