Clearing the Hurdles to Reach DORA Compliance

Earlier this year, Alpha FMC released an article highlighting key requirements and considerations in Traversing the Path to Success for the European Union’s Digital Operational Resilience Act (DORA).

With the regulatory deadline of 17^th January 2025 looming, much like the finish line of an Olympic marathon, firms are racing against time to overcome the complexity of the requirements and the sheer volume of work. In this article we seek to address these industry-wide challenges and offer strategies to overcome these hurdles within tight timelines.  We also look at how firms can leverage new and enticing AI GRC tools which may be able to assist firms with any residual gap analysis and implementation required for DORA.

1. End-to-end mapping

Under Article 8, firms must map all Critical and Important Functions (CIFs) through to business procedures – a Herculean task not to be underestimated. How firms will map their CIFs in a meaningful and ‘living’ way will be a key question, ensuring that data will inform key decision-making and facilitate items being kept up to date. With a significant overlap between EU DORA requirements and UK & Ireland Operational Resilience, it will be beneficial for firms with entities across multiple jurisdictions to have a central repository (e.g. a singular GRC system) that can toggle between the various regulations.

2. High volume of requirements

With the recent publication of the ESAs’ second batch of Technical Standards it is evident that whilst DORA requirements are now clearer, their volume and complexity will be taxing to implement with only six months left to the deadline. Leveraging AI will help firms expedite this process significantly for key deliverables, such as for the review of extensive documents like ICT vendor contracts and policies. Historically, engagement from vendors has been lacking, but DORA’s more stringent requirements for third parties will change this.. However, regulatory oversight of Critical Third Parties will take some time, and in the meantime firms will need to put in place tools and methodologies to access the market data they will require for compliance (i.e. subcontractor chains).

3. Application of Proportionality

Proportionality is a well-known regulatory concept that prevents small firms from having to overextend themselves in order to comply. However, what does “proportionality” actually mean in practice? Financial entities must implement requirements taking into account their size, risk profile, scope and complexity of their services. Engaging in workshops with senior management to define what proportionality means for them is crucial. Exercises such as exploring the depth of mapping to achieve this and assessing the are two practical methods to agree on for the application of proportionality. Additionally, finding areas of opportunities where policies can be shared among entities can significantly reduce firms’ workload and costs.

4. Threat Led Penetration Testing (TLPT) scenario identification

Historically, conducting TLPT has helped entities uncover in greater depth how specific business areas would be impacted in the event of an attack, and identify detailed learnings for further development. However, given the business-wide scope of TLPT under DORA, firms in-scope for TLPT are finding it difficult to ensure robust scenarios that will retain this depth. Considering the active involvement of third parties in this exercise, firms are finding the preparation and coordination of these TLPT-sessions strenuous to manage internally.

5. Identifying and managing the subcontractor chain

Akin to an Olympic relay race, every link in the chain is crucial. And this sentiment has only been strengthened with the recent publishing of the final RTS (30.5) on subcontracting ICT services supporting CIFs, along with the Register of Information’s requirements surrounding subcontractors (28.9). Many firms have highlighted the immediate challenge of how to obtain information surrounding subcontractor chains whilst also respecting the confidentiality of the contracts between firms’ direct ICT Third Party providers and their providers. Utilising tools and teams that can expedite communications with numerous ICT third parties as well as leveraging any available market datasets will be crucial in supporting firms to meet these heightened requirements.

6. Internal Programme Ownership

Ownership of the DORA Programme tends to be distributed within the firm, with deliverables typically being split between Operational Risk, Technology and Business Continuity functions. To effectively manage this complexity and scale, firms will need effective tools which can help to ‘pass the baton’ between multiple departments & stakeholders, acting as a centralised repository for all DORA actions to maintain control and consistency. A streamlined and clean workflow within a singular system will significantly accelerate firms’ journey to complying with DORA.

7. Entity Structure Application

Many in-scope firms will have numerous entities which are subject to DORA requirements, either directly (if the entity is in the EU) or indirectly (if a non-EU entity provides ICT services to an EU-entity). DORA requires firms to implement requirements consistently throughout the group, which can be a challenge for firms implementing DORA through regional teams with varying processes and procedures. It is advisable for firms to first agree a common set of policies, assessment criteria and templates to ensure that all in-scope entities can ‘sing from the same hymn sheet’. Having a GRC tool through which artefacts are project-managed and created will help to ensure consistency, traceability and adherence to common standards.

In the race against time, financial entities must clear these industry-wide hurdles, all requiring considerable time, effort, and internal organization. With the demand to accelerate DORA implementation, Alpha has recently partnered with GIEOM, an industry leading AI-driven GRC provider, to offer its clients an E2E DORA solution, drawing on Alpha’s deep expertise in the asset & wealth management regulatory space and GIEOM’s cutting edge DORA technology.