RegTech Intelligence 
Now that EU Digital Operational Resilience Act (DORA) is in force, an incident like ‘CrowdStrike’ today could trigger a request from the regulators for the firm to present the ICT risk management framework. Are you ready to face the consequences?
In the depths of December, the ECB revealed how DORA penalties will be assessed for failure to demonstrate control over 45 named artefacts, and they are worse than imagined.
Call us today to ensure that you’re ready for the tough questions that regulators and auditors will soon be asking your board.
On 17 December 2024, an ECB’s speech prioritized operational resilience, IT risk, and data integrity as their top supervisory focus for 2025-2027.
As PJ Di Giammarino CEO of JWG noted, “Literally a month before DORA went live, regulators rewrote the agenda. The ECB has made it clear that operational resilience is now as critical as credit risk. If your board isn’t ready to answer tough questions, you’re already behind and consequences could be quite tough.”
Failure to safeguard these risks comes with severe business consequences including increased capital charges and personal consequences that could be worse under accountability and conduct regimes.
Regulators have the power and tools to scrutinize firms thoroughly, from IT risk questionnaires to how Risk Data Aggregation and risk reporting (BCBS 239) are met.
However, meeting these standards is no small task. Only two of 31 firms passed last year’s BCBS 239 exams – and that was under a framework which has since been upgraded.
Knowing what good looks like
Firms operating across jurisdictions face varied expectations from regulators. The ECB takes a broad, high-level approach, while the UK’s PRA demands granular service-specific details.
PJ emphasized this duality: “The ECB acts like a strict headteacher, reviewing a firm’s homework and reports, while the PRA is more like a lawyer grilling firms on every operational decision it took and why their operations failed to meet their operating principles. For boards covering both jurisdictions, the pressure is immense.”
Moreover, accountability frameworks like the UK SM&C and SEAR in Ireland, combined with Conduct risk regimes across Europe mean that IT resilience is now a board-level responsibility. PJ warned: “There’s nowhere left to hide. If your systems go down, regulators will scrutinize every procedure — and personal consequences are very real.”
The bumpy course ahead
The pace of IT evolution is relentless. Gartner projects an 8.7% annual growth in IT spending, reaching $1 trillion by 2028. This rapid change on a scale as big as a G20 economy means that firms must embed resilience into every facet of their operations.
DORA compliance requires a shift from reactive processes to proactive, data-driven strategies. Firms must align their legal, compliance, IT, and operations teams, while also integrating suppliers into resilience frameworks. Static spreadsheets and checklists are no longer sufficient—dynamic, adaptable roadmaps are the only way forward.
One of DORA’s greatest hurdles is poor data quality. A dry run by European Supervisory Authorities (ESAs) revealed glaring issues, with 25,000 contracts identified for 10,000 providers. As PJ put it: “This is a ticking time bomb. If you think firms only have 25 contracts, you’re not seeing the full picture. The reality is far messier, and regulators know it.”
Conclusion: Navigating the Marathon with Confidence
Supervisors are no longer accepting fragmented, reactive approaches. Instead, they expect firms to integrate resilience into every decision, from boardroom strategies to daily operations.
This is where JWG can help. Using our OpRes RegDelta, we provide a rapid health check to evaluate your preparedness with 700+ questions. We assess how well your strategies, policies, procedures, and contracts align with the 45 named artefacts in DORA and their UK OpRes counterparts, ensuring you’re ready to meet supervisory expectations for: ‘Holistic ICT Multi-Vendor Strategy’, ‘Digital Operational Resilience Testing Programme’, ‘Human Resources Policy’ and more.
PJ explained how JWG leverages RegDelta to provide actionable insights: “We use AI to process documents, identify gaps, and link them to the 45 named artefacts in DORA. This is about creating a feedback loop that ensures continuous improvement.”
Unlike traditional consultants, we work with services firms to offer ongoing assurance through a managed service model that adapts to your needs.
Don’t wait — an incident today could trigger an immediate review. Call us to assess how on course you are for resilience.
Upgrade your OpRes with RegDelta
JWG’s OpRes RegDelta enables evergreen linkage with your policies, procedures, and contracts, boosted by our LLM partners, which your teams can interrogate, saving time and money in spotting and closing your gaps.
Learn more about our approach in the 2-minute video and website here.
Want to arrange a DORA/ UK OpRes consultation? Please contact Corrina.stokes@jwg-it.eu.
Learn more
We’ve come a long way since we published ‘DORA’s data problems begin in 400 days – already back of the pack?‘ here in July 2023! Discover how DORA differentiates itself from other directives and what it means for regulators, firms and suppliers alike in JWG’s research:
- Unwrapping DORA here
- Bridging DORA Gaps 2024 here
- Supplier countdown DORA: T-40 here
- DeFi RegTech Opportunities: 2025 here
- Scaling OpRes Mountain: The New Risk Frontier: here
- Navigating OpRes storms in 2025here
- ‘EU vs. UK OpRes: Ready, Set, Resilient’ here
- ‘Winning the OpRes Marathon’ here
- ‘Taming the DORA dragon’ here
- RegTech Newsletter: here
Listen to the experts in RegCast Season 5
