DORA Q&A: Finance firms should tailor testing, says Encompass CISO

Cambridge, UK-based Neil Acworth, since March of 2024 chief information security officer of Encompass Corporation
Cambridge, UK-based Neil Acworth, since March of 2024 chief information security officer of Encompass Corporation

As the implementation deadline for the Digital Operational Resilience Act (DORA) draws near, this coming Friday, banks and financial firms across Europe are rushing to make sense of the new rules and, perhaps more importantly, to be fully compliant by the end of January 2025.

Because there is no doubt about it: bankers, legal experts, regulators and others have all stated DORA may mean a whirlwind change in the regulatory climate that banks and other financial firms face in relation to their digital infrastructure and assets.

A whirlwind since many European banks are simply not yet prepared for DORA. At least that was the stark warning from the European Central Bank (ECB) at the end of last year.

As the financial services space tries to make sense of the maze of new rules, QA Financial catches up with a host of experts and industry insiders ahead of the January 17 deadline, which is this Friday.

Today Neil Acworth, chief information security officer, at digital identity software firm Encompass Corporation, highlights the urgent need for robust third-party risk management in light of the arrival of DORA.

Cambridge, UK-based Acworth emphasises that financial firms must prioritise resilience strategies to mitigate vendor risks.

As reported by QA Financial, the European Central Bank recently warned that the QA strategy at many European banks is not up to scratch, while DORA is less than two months away. Is the financial services space running out of time?

The financial services sector is undoubtedly under time pressure as the DORA compliance deadline looms less than two months away. However, the urgency does not mean the opportunity to address the associated challenges has already passed. DORA emphasises an ongoing, iterative process of identifying, mitigating, and addressing risks. Unlike frameworks that focus on static compliance, DORA is designed to promote a culture of ongoing operational resilience.

Non-compliance itself is a risk that financial institutions must actively manage. Recognising this risk is the first step toward building structured, forward-looking programmes that strengthen resilience in an environment of increasing cyber threats. Even if all requirements cannot be fully implemented before the deadline, demonstrating a commitment to progress and a clear plan for achieving compliance will be essential for mitigating potential regulatory scrutiny. Ultimately, DORA is not just about meeting deadlines; it’s a strategic opportunity for financial institutions to modernise their risk management approaches and strengthen their defences against evolving threats.

DORA highlights the need for robust third-party risk management. How should they go about this?

To align with DORA’s stringent requirements for third-party risk management, financial institutions need to adopt a methodical approach. The first step involves conducting a comprehensive review of all third-party ICT service providers. Each provider should be assessed and categorised according to the criticality of the services they deliver and the level of exposure they pose. For example, third parties that support core banking systems or handle sensitive customer data should receive immediate attention.


“DORA is not just about meeting deadlines, it’s a strategic opportunity for financial institutions to modernise.”

– Neil Acworth

Once third-party relationships are categorised, financial institutions should perform a compliance gap analysis. This involves scrutinising existing contracts against DORA’s specific requirements. Any discrepancies must be documented, and action plans should be developed to address them. Remediation may involve renegotiating contractual terms to incorporate mandatory clauses required by DORA. The real challenge lies in managing non-compliant vendors, particularly those unwilling or unable to adapt to these updates. Institutions may need to weigh the risk of retaining such vendors against the feasibility of transitioning to more compliant alternatives.

It is critical to ensure that third-party assurance mechanisms are in place. Financial institutions should prioritise working with vendors who have demonstrable evidence of compliance, such as independently audited certifications like SOC 2. This reduces the burden of verifying compliance and ensures alignment with DORA’s emphasis on robust, verifiable controls. Where vendors fall short, the institution must either work to bring them up to standard or reevaluate their continued use. By integrating these practices, financial institutions can effectively address third-party risks and lay the foundation for long-term compliance.

How should financial firms prioritise resilience strategies to mitigate vendor risks, safeguard customer data, and maintain uninterrupted services, all requirements under DORA?

Resilience under DORA requires financial institutions to focus on several interconnected areas, including vendor risk management, customer data protection, and service continuity. These elements should be prioritised based on their potential impact on the institution’s operational stability and compliance obligations.

Vendor risk management is a crucial starting point. Financial institutions should identify their most critical third-party relationships and assess the risks associated with these providers. Those that deliver essential services or handle sensitive data should be reviewed and remediated as a priority. For example, renegotiating contracts or demanding additional assurances may be necessary to meet DORA’s standards.

Testing and monitoring frameworks must also be enhanced. DORA’s emphasis on rigorous and regular testing, particularly for critical systems, sets a higher bar for operational resilience. While some interpret these requirements to mean daily tests for high-risk systems, financial institutions should tailor the frequency and intensity of testing to align with the specific risk levels of their operations. Continuous monitoring systems should be implemented to ensure that vulnerabilities are identified and addressed promptly.


“Financial institutions should tailor the frequency and intensity of testing to align with the specific risk levels of their operations.”

– Neil Acworth

Customer data protection is another key pillar of resilience. Robust encryption protocols, multi-factor authentication, and advanced monitoring systems must be employed to safeguard customer information against breaches. In parallel, institutions should refine their incident response plans to ensure that disruptions can be swiftly managed and regulatory reporting requirements are met within the mandated timeframes.

Prioritisation should be guided by a risk-based approach, focusing resources on areas that pose the greatest threats to operational continuity, customer trust, and regulatory compliance. By aligning their strategies with DORA’s core principles, financial institutions can build resilience while maintaining uninterrupted service delivery.

What will be the most impactful and direct changes under DORA? For example, article 26 requires continuous, rigorous testing, which is interpreted by many as daily tests vs current regular tests?

One of the most significant changes introduced by DORA is the requirement for continuous and rigorous testing of operational resilience. This represents a shift from traditional practices of periodic testing to more frequent, and in some cases, daily testing for critical systems. The rationale behind this change is to simulate real-time risks and ensure institutions are equipped to handle evolving threats promptly.

Another transformative aspect of DORA is the expanded scope of risk management. Unlike traditional regulations that focus solely on core banking systems, DORA recognises that vulnerabilities can arise from interconnected third-party services. Recent incidents, such as the CrowdStrike outage, underscore how disruptions in supporting functions like anti-virus software can cascade into operational failures. Under DORA, financial institutions are required to assess and manage these extended risks comprehensively.

DORA’s introduction of detailed Regulatory Technical Standards (RTS) ensures a level of specificity that many other frameworks lack. This demands a more structured and consistent approach to compliance, which includes clearly defined processes for risk assessment, incident reporting, and contractual obligations with third-party providers. For many institutions, adapting to this level of detail will require significant operational changes.

These changes collectively push financial institutions toward a culture of proactive and continuous risk management, ensuring that resilience is embedded deeply within their operations.

Have you seen or heard about a bank or other financial institution that has done its groundwork and is fully prepared for the new DORA rules? 

While the majority of financial institutions are still in the process of adapting to DORA, there are examples of organisations that have laid substantial groundwork ahead of the January deadline. These institutions are often those that have already aligned their operations with internationally recognised standards such as SOC 2 or the PCI DSS framework. By leveraging existing compliance practices, they have been able to transition more seamlessly to DORA’s requirements.


“Full DORA compliance by January 17 is a challenge for many.”

– Neil Acworth

We have several customers who are well-prepared for DORA. These institutions have proactively conducted gap analyses, updated third-party contracts, and implemented advanced monitoring and testing frameworks. Their readiness underscores the value of early adoption and investment in robust risk management tools. While full compliance by January is a challenge for many, these examples highlight that institutions with a proactive approach and strong foundational practices are in a much better position to meet the deadline.

Anything else you would like to say or share ahead of DORA’s deadline, this Friday?

As the January deadline approaches, it is important for financial institutions to view DORA not merely as a regulatory obligation but as an opportunity to strengthen their resilience in an increasingly complex threat landscape. While the timeline is tight, the key is to focus on progress rather than perfection. Even partial compliance efforts, such as initiating contract reviews and enhancing testing capabilities, will demonstrate good faith and reduce the risk of penalties.

Institutions should also consider leveraging technology to streamline their compliance efforts. Automated tools for risk assessments, contract management, and real-time monitoring can significantly reduce the burden of manual processes and help institutions stay on track. Furthermore, fostering a culture of continuous improvement, rather than one of reactive compliance, will be crucial for long-term success under DORA.

Finally, collaboration will be critical. Financial institutions should engage with peers, industry groups, and regulatory bodies to share insights, identify best practices, and navigate challenges collectively. The ultimate goal of DORA is to create a more resilient financial ecosystem, and working together will ensure that this vision is realised effectively


NEXT MONTH


DON’T MISS


QA FINANCIAL FORUM LONDON: RECAP

In September, QA Financial held the London conference of the QA Financial Forum, a global series of conference and networking meetings for software risk managers.

The agenda was designed to meet the needs of software testers working for banks and other financial firms working in regulated, complex markets.

Please check our special post-conference flipbook by clicking here.


READ MORE


Become a QA Financial subscriber – for FREE

* Receive our weekly newsletter * Priority invitations to our Forum events

REGISTER HERE TODAY