In January 2023, the European Union (EU) announced its Digital Operational Resilience Act (DORA) which will come into place in January 2025. The goal of the DORA legislation is to strengthen the IT security of all financial entities in the EU to promote visibility and operational resilience. Protection against digital threats will also become a compulsory legal requirement for all firms operating in the financial services industry.
Firms now have only just under a year to prepare for this statutory requirement. Here, I explore the key areas of focus for financial firms and outline a roadmap for the next year to ensure compliance with the changes in legislation by 2025.
An industry wide legislation for managing ICT risks
The EU’s goal to establish a consolidated regulatory approach for digital resilience is reflected by the legislation, and nearly all firms in the financial sector will be impacted. The legislation will enable the harmonisation of rules that it is hoped will foster operational resilience.The DORA act is set to apply to investment firms, pension funds, payment institutions, banks, insurers, crypto-asset companies, central counterparties (CCPs), crowd-funding providers and central securities depositories (CSDs). There will be very few exceptions. It is worth noting that new DORA rules will also apply to non-EU entities of EU-based financial entities. Firms in this position will therefore require a global strategy for ICT risk management planning. Potentially a huge amount of work ahead for some firms.
Mitigating against third party risks
New IT requirements will be introduced for financial institutions of all AUM in order to improve the overall risk posture of firms. These will extend beyond simply cybersecurity risks and will include mitigating against physical ICT risks. There will be particular emphasis on the use of service providers for ICT functions and any contracts engaged by firms that could expose them to third-party risk. RFA are prepared and actively working with our clients and new firms now to support them in this area.
The DORA act will detail requirements for firms who engage in to contracts with third-party service providers. Financial firms will be required to carry out third-party risk management policies, carry out due diligence on any potential providers and be sure to maintain contractual agreements that lay out the provisions for data protection, termination rights, audit strategies and cooperation with regulators. Again, RFA have prepared for this and are in a position to support your firm carry out this due diligence. With just a year ahead of the deadline for implementation, there is an expectation that updating such ICT contracts could amount to a bottleneck. In order to avoid this, firms need to move full steam ahead to update contracts so that they are in line with the DORA act.
Management team to ensure governance
The DORA act also demands firms are able to adhere to varying external and internal regulatory requirements to ensure the proper management of ICT risks. Management teams will need to establish clear roles and responsibilities for the board, as well as policies for ICT-relation functions. This will include who reviews and approves policies, audits and budgeting of tools. Governance and risk policies will need to be updated accordingly, and if third party vendors like RFA are part of the governance, should be included as such.
Key takeaways to ensure the adoption of new DORA requirements include:
- Building a timeline to January 2025 with clear distribution of roles and responsibilities for governance and ICT policies
- Investing in third-party risk management and planning with RFA to ensure adherence to regulatory requirements
- Updating any contract agreements with third party service suppliers in a timely manner.
As a third-party service provider to many clients in the EU financial markets and beyond, RFA understands the regulatory landscape in which firms operate. Our key priority for 2024 will be helping clients to strategise for these new regulatory demands in a timely manner so that they can ensure operations run smoothly and in compliance with the EU. If you would like to learn about how we can help you get ready for the DORA act implementation, contact me. I am here to help.