top of page

DORA

Author: Chris Goodeve-Ballard


DORA, the Digital Operational Resilience Act, or as I know many prefer to call it, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011” has to be fully applied as of Friday 17th January 2025.

 

Why a Friday?

 

Well, the cynical among you, who may also remember MiFID and a host of other European rules, may think that it gives you a whole weekend to decide to ignore it and carry on with your life. The less cynical will just give a Gallic shrug of the shoulders and get on with it.

 

As a former Army Officer, Head of Compliance and Money Laundering Reporting Officer, it should be a safe bet that I’m big on authoritarianism and think rules are great. Actually, I’m rubbish with authority, argue whenever possible and do my level best to get around, over, under or simply blast through the rules.

 

I would like to think that my aversion to being told what to do and how to do it means that when I say that there is a smidgin of common sense in a particular set of rules, people might sit up and take notice. I’m not arrogant enough to think that everybody will notice me say this, but if a few of those who know me notice, I hope the word will spread.

 

DORA, despite being the usual mish mash of TLAs, only applying to EU based entities and not being the most interesting thing I’ve read since Hound of the Baskervilles, does actually make some sense.

 

Cutting through the detail (and boy – is there a lot of it), the requirements for regular pen testing, the need to understand concentration risk in your suppliers, the need for early warning indicators (notably lacking in the PRA/FCA rules), the requirement to have thought through and planned your communications, the need for regular internal reporting, the requirement for tighter contracts with suppliers etc etc etc. It really does make a lot of sense.

 

There is a large part of DORA devoted to the critical suppliers of services. This is very much in line with where regulators globally are heading. The PRA and FCA are currently in the middle of a consultation on the role of critical (very large) third parties. Frankly, how any regulator is going to shift a third party that also has its own space programme, I’m at a loss to work out. That however is a problem challenge for another day.

 

The Act contains a mix of (putting it very simply) technical requirements and organisational ones. The difficulty firms will have, is that very few consultants outside the Big 4 can help with both. That comes at an eye-watering price point and it is therefore more effective to work with niche providers. The organisational ones will understand what input the technical ones will need to have – but usually not the other way around.

 

Aldbury International is one such niche firm and can help you understand what is required for both DORA and the more widely targeted FCA/PRA rules. There is a lot of common ground between them.

 

Contact us and let us help you through the thicket of rules thrown up by our beloved regulators.

Comments


bottom of page