RegTech Intelligence 
EU and UK Operational Resilience (OpRes) implementation packages are creating nervousness at end-of-year gatherings this year.
In the wake of CrowdStrike this July, regulators pushed ahead with their detailed standards, and we have now catalogued over 93 documents, spanning 3,304 pages and nearly 46,000 paragraphs across our EU, UK documents, which defines the law of the lands in Q125.
This leaves the many banking tribes and their suppliers wrestling with board’s decisions about what good answers to 700+ questions look like on 17 January 2025 for DORA and 31 March 2025 for the UK.
Nervous board members have a lot to wish for in 2025:
- Knowing and reassured they are as protected against their new liabilities in the event of ‘CrowdStrike 2’;
- To get beyond spreadsheets, so we can all know what controls we are asking for and from whom, in an auditable manner; and,
- To get the infrastructure, data, applications suppliers onboard and ready for the marathon ahead.
This article explores the middle and back-office board priorities for DORA and other OpRes regulation in 2025.
A Christmas Reset
Consider Timothy’s dilemma. As a European asset manager’s board member, the looming deadlines of January 2025 for DORA and March 2025 for UK operational resilience readiness dominate his agenda. Non-compliance could mean steep fines, reputational fallout, and personal accountability for inadequate operational safeguards. Ensuring robust IT systems and controls for critical business functions are no longer optional — and the buck stops with him.
Efforts to address these obligations have been hampered by an uneducated supply chain and shifting interpretation of regulatory demands. His DORA project team has created a comprehensive gap analysis, but it took ages, and the emergence of additional guidance documents has only complicated the effort more to get each ‘critical or important function’ to sign-off on their obligations and detail what it means for their suppliers.
Amid these challenges, Tim wrestles with pressing questions that are definitely NOT tiny:
- What will a major cyber event, like “CrowdStrike 2,” have on Easter break in 2025?
- How do we measure up to our peers by business?
- Who can I trust to guide us and what role can artificial intelligence (AI) play?
Tim turns to his Chief Administrative Officer for answers but is disappointed by the stark reality — legal, compliance, and technical experts are overwhelmed by this level of regulatory complexity, and the AI, well-suited for the task, needs to be deployed in order for advisors to help.
He is more than worried about a potential train wreck, not his son’s trainset which would affect more than his holidays!
Over the weekend, Tim took a long winters nap and had a vision of his organisation using technology to cut through DORA and UK OpRes.
He realised that all the AI hype was finally worth jumping onto.
His vision is this: have all his risk and control elves work to the most up-to-date understanding of the rules, with an industry-validated view of what ‘good’ looks like.
He would tell all his 2nd and 3rd lines of defence that they had until April to figure it out and to verify that their DORA gaps were within risk tolerance.
The audit point owners would create a joint remediation plan for sins of the past and ensure that they knew the impact of new guidance on the present, as well as the future, as soon as it came out, thanks to AI.
What Tim really wants
Tim calls all his three lines of defence into a large conference room and presents his needs in the age of DORA:
- Interpretation. ‘I want to know how regulatory changes will affect my business. Each business should have a thematic radar of how new regulatory initiatives will affect them. This means that they not only know what is done today fits in with current regulations, but how new regulations like the EU AI Act will have standards which intersect’.
|
DORA |
UK OpRes (PS21/3) |
|
|
- Gap. ’ Let’s face it, the industry survey results from JWG published in November show that we can’t pretend that the next 5 years isn’t going to be full of pain. I want to know that my organization understands what they have to do to comply. This means that it needs to be easy to ask everyone to take on discrete tasks, but hard to aggregate our position and compare it to the regulators’ view of ‘what good looks like. To stay off the naughty step we need to answer detailed questions about our journey to a DORA-ready state with clear dashboards, reporting, and alignment across all key stakeholders’.
|
DORA Health Check |
UK Health Check |
|
|
- Standards. ‘Tim wants humans to validate plans to close the gaps in a way that aligns with industry practices. Yes, you can ask an LLM to tell you about what gaps you have today. However, it’s a far different conversation with the regulator about how your policies, standards, and controls align across your lines of defence and the suppliers. In the near future, we need to align industry standard practices and call in the experts for assistance with the remediation plan.’
Some of his managers were about to dive in and defend themselves when Tim delivered his Christmas ultimatum:
‘If you haven’t executed on your April plans by year-end, I’m cutting the bonus pool by 50%.’
He dropped the microphone and walked out. The stunned crowd went away to do some research and found their way to this very page you are reading.
Want to learn more about how to help Tim? Have a look at our video and long list of resources below.
Upgrade your OpRes with RegDelta
RegTech is at the forefront of better, faster, cheaper, and safer OpRes solutions for 2025 change programmes.
JWG’s OpRes RegDelta enables evergreen linkage with your policies, procedures, and contracts, boosted by our LLM partners, which your teams can interrogate, saving time in spotting and closing your gaps.
Learn how in our new 2-minute video.
Want to arrange a demo? Please contact Corrina.stokes@jwg-it.eu.
Learn more
We’ve come a long way since we published ‘DORA’s data problems begin in 400 days – already back of the pack?‘ here in July 2023! Discover how DORA differentiates itself from other directives and what it means for regulators, firms and suppliers alike in JWG’s research:
- Bridging DORA Gaps 2024 here
- Supplier countdown DORA: T-40 here
- DeFi RegTech Opportunities: 2025 here
- Scaling OpRes Mountain: The New Risk Frontier: here
- Navigating OpRes storms in 2025 here
- ‘EU vs. UK OpRes: Ready, Set, Resilient’ here
- ‘Winning the OpRes Marathon’ here
- ‘Taming the DORA dragon’ here for background
- RegTech Newsletter: here
Listen to the experts in RegCast Season 5
