Strategies of DORA – A Lunchtime Dialogue at the LHoFT

The clock is ticking for financial institutions across Europe as the January 17th^[1] deadline for DORA (Digital Operational Resilience Act) compliance approaches. Aimed at fortifying the operational resilience of financial entities, DORA sets out strict requirements for ICT risk management, incident reporting, resilience testing, third-party risk oversight, and governance. With no grandfathering period and a firm deadline, the race to align with these regulations is on.

At a recent industry conference, experts and leaders from Elvinger Hoss^[2], PwC Luxembourg^[3], Fundvis^[4], and Proximus^[5] convened at the Luxembourg House of Financial Tech (LHoFT) ^[6] to tackle the practical hurdles posed by DORA. The discussions highlighted a range of complexities, from compiling comprehensive registers of ICT services to renegotiating contracts with third-party providers. Despite the daunting nature of these tasks, attendees emphasised the transformative potential of DORA. Addressing these challenges head-on, will allow financial institutions to meet regulatory demands and ensure their operational resilience in an increasingly digital world.

DORA’s Core Requirements

The regulation introduces a comprehensive framework designed to fortify the digital resilience of financial institutions across Europe. Centred on five key pillars, it addresses distinct facets of operational resilience, providing financial entities with a structured approach to align and reinforce their operational foundations.

ICT Risk Management

ICT risk management lies at the heart of DORA, requiring organisations to identify, assess, and mitigate risks related to their information and communication technology. This involves comprehensive mapping exercises to pinpoint critical functions and dependencies, a prerequisite for effective implementation. Financial entities must continuously monitor and update their risk controls to address evolving threats​​.

Incident Reporting

Timely incident reporting is a non-negotiable requirement. Organisations must have standardised processes to report ICT-related incidents to regulators promptly. Clear documentation and communication protocols are essential to demonstrate compliance and support the broader financial ecosystem’s resilience​.

Digital Operational Resilience Testing

Resilience testing ensures that financial institutions can withstand disruptions. Regularly scheduled tests, such as penetration tests, must be conducted at least every three years and aligned with real-world risk scenarios. These tests provide invaluable insights into potential vulnerabilities and validate the effectiveness of existing controls​​.

Third-Party Risk Management

Managing third-party risks is one of the more challenging aspects of the regulation. Financial entities must:

• Update contracts with service providers, prioritising intra-group agreements and major suppliers like AWS and Microsoft.
• Create a register of information detailing third-party dependencies and the criticality of their services.

This process demands rigorous internal coordination complete with extensive external collaboration to collect and verify data​​.

Governance and Oversight

Effective governance is a cornerstone of DORA compliance. Organisations must:

• Engage their boards in overseeing digital resilience initiatives.
• Regularly present dashboards tracking compliance progress and remediation plans.
• Ensure that boards are aware of their accountability in meeting regulatory requirements.

Pathways to Achieving Compliance

With the January 17th deadline looming, financial institutions must adopt a structured approach. The following strategies focus on practical steps to meet regulatory requirements effectively while addressing key challenges.

Prioritise Mapping and Register Creation

The foundation of DORA compliance lies in conducting a comprehensive mapping exercise to identify all ICT services, their criticality, and dependencies. This step is essential before undertaking other compliance actions, as it informs all subsequent processes.

• Critical Focus Areas: Ensure the identification of business-critical functions and their ICT dependencies.
• Data Accuracy: Avoid skipping this step to save time, as inaccuracies here will lead to costly revisions later​.

Once mapping is complete, organisations must create the Register of Information, a central repository required by regulators. This task involves collecting extensive details from internal sources and external providers.

• Regulators will expect submissions in early Q1, and incomplete registers will not be accepted.
• Even if the register is not perfect, submit a robust first draft to demonstrate effort and readiness​

Address Third-Party Dependencies Proactively

Managing relationships with third-party service providers is one of the most time-consuming aspects of this regulation. Financial institutions should adopt a tiered approach:

• Intra-Group Agreements First: Update internal agreements within your organisation, as these require no external dependencies.
• Engage Key Providers: Prioritise updating contracts with critical providers like Microsoft and AWS, which often have pre-prepared DORA-compliant agreements.

• Small and Medium Providers: These providers may lack preparedness for DORA, making it crucial to document your engagement efforts meticulously​​.

Best practices include using standardised contract templates and documenting every communication to show your compliance efforts to regulators​​.

Implement Tools and Expertise for Efficiency

Leverage technology to streamline compliance activities:

• SaaS Platforms: Tools like Fundvis centralise register creation, automate data entry, and generate compliance reports for boards and regulators. These platforms help track progress and highlight areas needing attention​.
• External Support: Engage consultancy firms like PwC for gap analyses, third-party risk management, and assistance with resilience testing. Their industry expertise can expedite compliance​​.

Engage the Board and Document Efforts

Board-level engagement is vital for maintaining momentum and accountability:

• Present dashboards at every board meeting to track compliance progress and remediation plans.
• Highlight risks, gaps, and strategies for addressing outstanding issues​.

Regulators emphasise the importance of documenting all compliance efforts. From initial mapping exercises to third-party contract negotiations, keeping a detailed audit trail demonstrates commitment and ensures readiness for regulatory scrutiny​.

Conclusion

DORA compliance is a pivotal opportunity to fortify operational resilience across Europe. While tight deadlines and complex requirements demand swift, strategic action, financial institutions can rise to the challenge by prioritising key initiatives: mapping processes, updating registers, collaborating with third-party providers, and harnessing the right tools and expertise. Immediate engagement is essential; by embracing this regulation as a strategic advantage, financial institutions can future-proof their operations, earning the trust of regulators, stakeholders, and clients while navigating tomorrow’s challenges with confidence. 

Now is the time to act.

^Footnotes:

^{Featured Images: Midjourney}

^{[1] Rowan Armstrong (02 July 2024) ” EU Digital Operational Resilience Act: Countdown to comply with the January 2025 Deadline’ https://www.brownejacobson.com/insights/dora-countdown-to-comply-with-january-2025-deadline}

^{[2] https://elvingerhoss.lu}

^{[3] https://www.pwc.lu/} 

^{[4] https://fundvis.org/}

^{[5] https://www.proximus.lu/fr/index-en/}

^{[6] https://lhoft.com/}