Long reads

What is DORA, and how can banks collaborate with tech providers to prepare for it?

Gabriela Giannattasio

Gabriela Giannattasio

VP EMEA, Veritran

This article was co-authored by Carlos Cordova Niewold, chief cyber resilience officer at Veritran.

As financial transactions have increasingly moved to digital platforms, the banking sector has evolved into a technology-first ecosystem. Concurrently, the mass digitisation of financial services has led to an influx of technology startups with varying maturity levels, and banks’ increased dependency on technology has led to challenges of resilience.

The positive impact of the banking sector’s digital transformation is the deliverance of faster and cheaper services to consumers. However, with growing complexity and interconnectedness of digital systems, the financial industry has become more vulnerable to cyber threats and disruptions.

To protect the consumers and support innovation a new regulation was formed, the Digital Operational Resilience Act (DORA). DORA is a European Union legislation aimed at ensuring the operational resilience of digital services providers and financial institutions by establishing requirements for cybersecurity, continuity of services, incident reporting, and oversight. DORA is critical to regulate the volatility of new players joining the financial industry, and to aid existing banks in shaping risk strategies as they undergo digital transformation.

DORA impact on EU banking operations and compliance

Over 22,000 financial entities and information and communication technology (ICT) firms will be required to enact DORA regulation.

The core of DORA is focused on integral resilience management by instating enhanced governance of all domains and addressing risk and compliance. It is key to have ongoing threat assessments and continuously evaluate the environment to prevent potential cyber-attacks and operational disruptions.

Being in compliance with DORA will provide enhanced oversight and end-to-end orchestration and harmonisation of resilience management over several business disciplines, resulting in a continuous cycle of identifying, mitigating, and reporting on risks.

The clock is ticking for financial institutions to comply with DORA

The process of becoming compliant with DORA is a demanding task for both incumbent banks and new players due to the complexity of embedding the core regulation into their existing frameworks. With DORA requiring financial institutions in the EU to be compliant by 17 January 2025, banks are under pressure to ascertain how they can comply.

Financial institutions are always looking for ways to innovate, expand, cut costs, and facilitate more transactions. Having an integral way of looking at risk is a vital part of the management process in the financial industry. It is crucial for risks to be identified on an end-to-end basis to avoid missing any critical dependency which might impact resilience. DORA provides this oversight focused specifically on digital risk management, which is a significant and essential change for the industry.

It will be a daunting task for traditional banks to comply with DORA, as the overall silos of governance, business functions, processes, and supported technology need to be orchestrated into a more unified approach. Banks will be looking at how they can minimise the impact of being in compliance with DORA within their organisation.

Technology vendors can support banks in DORA compliance

Many incumbent banks in the EU are offloading risk management activities and the compliance burden by partnering with third-party technology providers. A technology vendor which has a ‘DORA by design’ approach can deliver consistent DORA-compliant services by addressing risks and compliance requirements during service delivery or development of new services.

There is a considerable cost for financial institutions to become compliant with DORA. The ‘cost of compliance’ is related to technology investments, risk management activities, audit and monitoring expenses, operational changes, training and education, documentation and reporting, insurance, and potential penalties and fines.

Silos will need to be broken, and a wealth of resources and detailed governance will be a requirement. This is where technology vendors can create value for financial institutions by providing services that incorporate the ‘cost of compliance’; or, a third-party can support both traditional and new financial institutions to become compliant with DORA by leveraging their experience.

When opting for a provider that can take on DORA compliance for a bank, it is necessary to look out for companies that have an established place within the sector, and contain a balance of business opportunities, services delivery, innovation, security, and compliance. Finding that equilibrium leads to ‘good friction’; ensuring a healthy collaboration which provides customers with a smooth user experience.

Challenges in DORA compliance

DORA provides an opportunity to better align these separate areas of operation and work closely together to address compliance, formulate risk strategies, and tactically align the business to ensure long-term success and provide value to clients.

For instance, the areas of risk management, information security management, business continuity management, and fraud management can be integrated into a single area of (cyber) resilience management to leverage resources, knowledge, experience, processes, and technology.

Traditional banks have well-matured governance structures and risk and compliance management capabilities, but will likely find difficulty integrating modern technologies like machine learning (ML) and artificial intelligence (AI) with compliance requirements within their legacy systems.

Digitally-native banks will have the upper-hand when it comes to DORA compliance as their functions are already digital-focused. They have the capabilities in place for the new digital ecosystem and can adapt as new innovations emerge. Where they might face challenges is with resources; doing the compliance and testing work and having the funds to offload part of that work. It will not be easy for challenger banks to retain the pace of innovation and provide consistent services to clients whilst implementing compliance.

A long-term impact of DORA will be a further focus on automation and AI-powered solutions to minimise the compliance burden. AI support will lower the number of manual tasks required in risk management and compliance.

DORA goes global

DORA is currently being implemented in the European market, but it has global implications, as the need for it is based on addressing evolving threats and driving innovation.

Vendors that have DORA integrated in their service offerings can deliver extra value in US and Latin American markets by leveraging their high level of operational resilience management to prepare businesses for the future. Like ISO27001 and GDPR which originated in Europe, DORA also has the potential to be adapted globally.

DORA will function as a better integral defense against threats related to cyber-attacks and operational resilience resulting in improved continuity of services, and recovery when there is a threat to the financial services ecosystem. Overall, it will provide the entire financial industry with more resilience by enhancing the collaboration between regulators, technology vendors, and financial institutions to ensure harmonisation of risk strategies and resilience protocols.

Comments: (0)