17 January is implementation day for the Digital Operational Resilience Act (DORA). On Next, its publication for fintech insights and news, Broadridge gives a round-up of what in-scope institutions might expect once the regulation comes into force. Beyond being just a regulation, DORA also represents “a paradigm shift in operational resilience”, says the fintech solutions provider.
DORA might be a European regulation, but its impact isn’t bound by geography. Broadridge’s article points out that financial entities in the US and Asia that provide services in Europe must also align their practices with DORA standards. This has led to what David Turmaine, the firm’s head of international consulting calls a “regulatory tsunami”. The growing interconnectedness of global financial markets and the universal nature of cyber risks are clear.
An uphill climb
Both large and small organisations are likely to find compliance with DORA challenging, but in different ways.
For large entities, the main challenge comes from “managing extensive and interconnected technological ecosystems” that have been, in Turmaine’s words, “cobbled together over 20, 30 years”. “Most banks wouldn’t build what they have today if they were starting from scratch.” He says.
For many small firms, DORA might be “their first exposure to stringent resilience requirements”. Compounded by restrictions in budgets and limited experience in regulatory compliance, these firms are likely to face a steep learning curve.
No rest
Perhaps most importantly, DORA “is not merely a compliance exercise; it is about cultivating a resilient, adaptive operational mindset”. Turmaine emphasises the importance of going beyond just ticking boxes, saying that firms should also “understand the regulation, why it’s important, and what steps are necessary to genuinely reduce risk and enhance resilience”.
DORA has been designed to require active engagement, an approach that emphasises “compliance is not a static achievement but an ongoing process”. Continuous monitoring will become the new norm. Organisations will have to get used to “maintaining an ongoing awareness of risks across multiple parameters”, using tools such as key risk indicators to regularly review and ensure that their risk profile “remains manageable”.
Resilience will have to become a “core business value”, embedded into every policy, procedure, and the overall mindset. The goal, according to the article, is to “align resilience efforts with business objectives, transforming them into a competitive advantage”.