Implementing the EU Digital Operational Resilience Act (DORA) will be a huge challenge for many financial services players, a task that many banks and other finance firms may underestimate as it may require an overhaul of their current culture.
That is the stark warning from industry insider Steven Rackham, currently the chief technology officer for Financial Services at NetApp, based in London.
Rackham, who is also a financial services council member at industry group TechUK said that “preparing for any change in regulation is hard enough, but with the European Banking Authority yet to publish the final technical specification or a list of critical IT providers, businesses are effectively still in the dark in terms of the detail,” he said.
“Gambling by taking a ‘wait and see’ approach is unlikely to impress the regulator,” he stressed.
Consultation underway
DORA will come into force on 17 January of next year. Last month, the European Supervisory Authorities, the European Securities and Markets Authority (ESMA), European Banking Authority (EBA) and European Insurance and Occupational Pensions Authority (EIOPA), published consultation papers on their latest batch of draft standards relating to DORA.
The draft standards covered topics including stipulating timeframes for IT incident reporting. An initial report is required within 4-hours of the classification of a major incident, followed by an intermediate report within 72-hours and a final report within 1-month.
Draft standards were also set out concerning the management of critical third-party IT providers and security testing. Responses are accepted until next week, 4 March.
However, “if being fully compliant by 17th January 2025 is unrealistic, demonstrable progress and having a clear plan to meet all requirements within a reasonable timeframe should mean escaping the harshest punishments,” Rackham wrote on UK fintech website Finextra.
“In the absence of definitive technical guidelines, how can financial entities best prepare for DORA?”
Steven Rackham
“For many, it will require going against conventional wisdom and accepting that DORA is primarily a business challenge and not just a technology issue.”
Rackham stressed that a cultural change is needed within any financial services firm to fully understand and implement DORA.
“The reality is that the whole business needs to get behind it, and everyone in the organisation will have some role to play. This means a cultural change at every level and the recognition that flexibility will be important at a time of momentous change for financial services,” he wrote.
Efforts
Meanwhile, some efforts are underway to help businesses make sense of the upcoming rules.
In November, the German Federal Financial Supervisory Authority, BaFin, launched an information site designed to provide guidance to financial institutions on DORA.
The site provides an overview of DORA, as well as giving updates on the current state of DORA consultations being carried out by the European supervisory authorities – the EU regulatory advisory body comprised of the EBA, EIOPA and ESMA.
Other regulators are expected to roll out similar websites in the next few months.
