DORA, Don’t Panic

The Digital Operational Resilience Act (DORA) regulation is enforceable from the 17th January 2025 to all EU financial institutions.

In my working lifetime I’ve seen the introduction of a raft of pieces of legislation; GDPR, multiple updates to PCI-DSS as well as MiFID directives I & II, amongst others.

Each of these have their own requirements to comply with technically and as a business; they all strike levels of fear into folks who must implement them, and the closer proximity to the date of introduction the greater that fear seems to swell across an organisation. This fear is often fuelled by those lacking the knowledge or understanding of the requirement being imposed, adding unnecessary pressure to the team responsible and almost creating a borderline of compliance hysteria as regulatory adoption day looms!

In 2017 the adoption of GDPR was the absolute embodiment of this, individuals from Board Level to Implementation Engineers running in different directions frenetically working out how to proceed and if they’d be under the microscope for some heavy fines that could be levied if they’d not cut the mustard. On top of this, every single vendor of IT software and hardware had an opinion on how they were going to solve GDPR for your team…

It’s easier to implement a regulation when there are clear requirements. PCI-DSS for example is pretty good at that: “Requirement 4: Encrypt transmission of cardholder data across open, public networks”. DORA and other legislations aren’t so concise and leave lots open to interpretation on what your organisation must adopt procedurally and where it must enhance technically. This exacerbates the overall panic and confusion, does the organisation need to buy something, do something, if so what’s in scope, what needs to change?

The good news with DORA is that you’re still a long way off the act becoming regulated, meaning there remains time to get your ducks in a row and answer the questions about how our organisation much change, what practices or technology is needed to be adopted.

At this stage DORA has been published as a draft, and it honestly wouldn’t surprise me if a good proportion of the organisations need to make little to no changes to their working practices, reporting schedules or technology stack. The issue and fear come when we reach 2025 and you’ve not yet identified that’s the case!

In initial results from research conducted by HANDD we found that a staggering 83% of respondents organisations are not currently working toward an updated plan to conform with the DORA regulations, with only 4% of those surveyed stating they are completely confident they understand the changes. Add your insight to the survey here and sign up to receive the full results later this year (as well as lots more DORA content and news!)

At this stage, the advice is simple: start planning now. Identify what’s already there which aligns to the draft legislation wording, lots of these items are just good practice anyway or perhaps extension of existing regulation. By understanding the requirement early into its adoption you’ll not need to rush in any changes, upgrades or force through shifts in working practices onto unsuspecting employees. If you’re struggling to pin point what’s required yourself or what you might need to change seek advice sooner rather than later.

HANDD will be continually releasing content as the DORA deadline approaches; working with partners and consulting the great and the good to ensure that our partners can plan well in advance.

 

Need more support on DORA?

You may be interested in reading our previous blog, Not another DORA blog!