Preparing for DORA: key considerations for firms

In January 2025, the European Union (EU) is set to enact its Digital Operational Resilience Act (DORA). This regulation establishes consistent standards to enhance and unify the management of risks related to IT, network, and information system security across the EU, working to promote visibility and operational resilience.

With the implementation date less than a year away, following the two-year period for consultation and preparation, any financial institution or critical third-party technology service provider that needs access to or operates within the EU market, is faced with the pressing need to comply with these new standards. This may necessitate significant adjustments in their outsourcing strategies, requiring enhanced oversight of these arrangements.

In light of this transitioning period, I have listed key points that firms need to consider in order to prepare for the DORA legislation:

Outsourcing Oversight

Outsourcing oversight involves the careful monitoring and management of third-party services, encompassing vendor selection, contract management, and performance monitoring. It ensures outsourced functions align with a company’s goals and maintain high quality, addressing issues promptly to uphold operational standards and strategic objectives.

The legislation has put a particular emphasis on the use of service providers for ICT functions and any contracts engaged by firms that could expose them to third-party risk. RFA’s knowledge of financial policies, including FCA legislation gives us global experience in similar requirements, putting us in a good place to provide support. We already actively assisting both existing clients and new firms in navigating these requirements, ensuring they are well-prepared for the upcoming changes.

FCA Similarities

Much of the DORA legislation is reflected within the requirements set by FCA. Despite the different scopes, the basis of procedures on outsourcing oversight achieve the same end goal, however, the FCA’s regulations have been in place longer, and are expected to already be in place.

• Contractual Requirements 

Under both frameworks, contracts with service providers must clearly articulate the rights and obligations of all parties, including service-level agreements, data security standards and audit rights.

• Due Diligence

Both regimes mandate that financial institutions perform adequate due diligence before entering into an outsourcing agreement. This involves scrutinising the service provider’s capabilities, financial stability, and reputation.

• Data Protection and Confidentiality

Both DORA and FCA legislation highlight the need for stringent data protection measures in outsourcing arrangements. Institutions must ensure that their service providers adhere to relevant data protection laws and maintain the confidentiality and integrity of information.

• Access and Audit Rights

Both legislations stipulate that financial institutions must have adequate access to data and facilities of the service provider. They must also have the right to conduct audits or request third-party audits to ensure compliance with contractual and regulated requirements.

For regulated firms with activity in the EU, navigating these policies presents a mix of challenges and opportunities. The stringent requirements call for a comprehensive review of existing outsourcing arrangements and potentially, the establishment of new protocols to ensure compliance. However, this also offers a chance for firms to reassess and strengthen their operational resilience and risk management practices, aligning more closely with regulatory expectations. This strategic alignment not only mitigates risks but also positions firms to capitalise on the benefits of enhanced operational efficiency and governance.

How RFA can help

As a third-party service provider supporting many clients within the EU financial markets and beyond, RFA has a deep comprehension of the regulatory environment governing these firms. Our team has the expertise to help you manage your operational risk achieving a robust solution and staying compliant.

If you would like to learn about how we can help to prepare you for the implementation of the DORA act, please contact me.

https://www.securities-services.societegenerale.com/en/insights/views/news/dora/

https://www.ibm.com/topics/digital-operational-resilience-act#:~:text=The%20Council%20of%20the%20European,with%20DORA%20before%20enforcement%20starts.