The EU’s Digital Operational Resilience Act (DORA) dragon is getting ready for flight in 150 days. Leave your castle walls in disrepair over the summer holidays at your peril.
This regulation has taken a far deeper, broader and more prescriptive approach to derisking the ‘end to end’ Information Communication and Technology (ICT) risk than ever imagined by any sitting Chief Information Officer, Chief Risk Officer or Management Committee.
By 17 January 2025, a ‘great repapering’ needs to be completed for your policies, contracts, procedures, control logs, regulatory reports and supplier databases. To tame DORA, SMEs will need an interdisciplinary approach to satisfy many stakeholders.
JWG’s AI-enabled DORA RegDelta solution is ready to help, your ‘change the bank’ teams move quickly to shore up your DORA defences. Trust us, you’ll be glad you did when January 17th rolls around.
150 days to deliver to new standards
22,000 financial entities should be conducting gap analyses and making tough decisions about how they intend to secure their ‘critical or important’ functions now.
Lawyers report that we’re at the start of a DORA repapering juggernaut, as the ESAs have 4,000+ people registered for their voluntary ‘dry run’ for new regulatory reports.
However, DORA is about far more than tweaking a few supplier contracts. Policies, procedures, control logs, regulatory reports and supplier databases need to fall in line with very prescriptive obligations for which there are few standards and no legal precedent.
DORA’s 12 documents and 785 pages contain a number of new ramparts to protect the resilience of the financial system, including these:
- ‘critical or important function’ means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities… under applicable financial services law – Art 3(22)
- financial entities shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers – Art 28(3)
- ‘critical ICT third-party service provider’ means an ICT third-party service provider designated as critical in accordance with Article 31 – Art 3 (23)
- financial entities shall minimize the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools. They shall provide complete and updated information on ICT risk and on their ICT risk management framework to the competent authorities upon their request. – Art 6(3)
- Financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important. – Art 28(3)
DORA Penalties:
Despite claims to the contrary on the internet, Article 50 enables each country to determine what happens if your DORA defences are breached:
- Member States to establish appropriate, effective, proportionate and dissuasive administrative and potentially criminal penalties
- Could require temporary or permanent cessation of any practice or conduct considered contrary to DORA
- Issue public notices, indicating the identity of the natural or legal person and the nature of the breach.
The DORA ‘So What’ for a Financial Entity
As JWG wrote last summer, with tough new risk controls and thousands of suppliers in your technology supply chain, implementation programmes will struggle to keep pace with the breadth and depth of the challenges.
Today’s financial services businesses are under pressure. On one front their customers are pushing toward ever more interconnected, digital platforms. On the other, regulators want firms to control the systemic risk of the technology itself. Both these pressures are now roaring their way across the financial value chain and IT supply chain.
Current governance and oversight roles will change and hundreds of new questions will need to be asked, answered and evidenced. A few of the areas where DORA’s teeth bite are illustrated in the table below:
This is by no means a comprehensive or exhaustive list of questions. It is meant to illustrate the level to which firms and their suppliers will need to upgrade current risk governance and control frameworks to mitigate operational resilience risk.
As with most EU regulation, transparency is the answer. Ominously, in addition to the information register and other reports, the regulation stipulates that the Competent Authorities can “have access to any document or data held in any form that the competent authority considers relevant for the performance of its duties and receive or take a copy of it”. That’s a lot of dragon training footage…
As with most regulation, a risk-based approach is required and your documentation needs to clearly identify any gaps which you have to close. When you do have an incident, there will be little time to go back to the rule books as regulators need to be notified within 4 hours, followed by an intermediate and final report.
Introducing JWG’s DORA RegDelta platform
There are RegTech AI solutions ready but you had better move fast to get your ‘change the bank’ teams to record their gap analyses, strategies and remediation plans now.
Few are qualified to analyse and structure a complex body of texts, train their models and know that you will have the RegTech safety gear. That’s where we come in.
At JWG, our analysts have assembled all the relevant DORA texts and stand ready to load the final tweaks next month that will save clients thousands in painful remapping exercise.
Our Natural Language Processor will decode the obligations and solve the ‘multi-dimensional DORA puzzle’ to create rapid health checks, tuned to individual business needs. JWG can analyse business’ DORA deltas and deploy GenAI tooling along with expert legal services to close any gaps
DORA RegDelta enables users to effortlessly explore the 780+ pages in a streamlined interpretation framework. Far more than just regurgitating the text, our analysts have leveraged AI-driven Natural Language Processing (NLP) to create a set of obligations and plain English insights into its implementation.
JWG’s DORA RegDelta USPs
Safe, efficient, effective, trusted and RELIABLE
For more information please contact corrina.stokes@jwg-it.eu.
Conclusion
The EU’s Digital Operational Resilience Act (DORA) dragon may have seemed like a distant threat, but it is now only 150 days away from taking flight.
And as the saying goes, summer holidays leave no castle walls safe from peril. This revolutionary regulation has not only caught the attention of Chief Information Officers and Chief Risk Officers, but also the entire management committee.
It has presented a much deeper, broader, and more prescriptive approach to managing end-to-end ICT risk than anyone could have imagined. But fear not, for there is still time to fortify your defences against this formidable creature.
However, to do so successfully, an interdisciplinary approach between firms and their service providers is crucial. Luckily, JWG’s AI-enabled DORA RegDelta solution stands ready to aid your team in quickly and efficiently securing your compliance.
Don’t miss out on this opportunity to get ahead of the game – fast track your DORA RegDelta program today and ensure that you are prepared for whatever challenges may come your way in the ever-evolving regulatory landscape.
Trust us, you’ll be glad you did when 17th January 2025 rolls around. So don’t wait – get in touch with JWG to learn how we can help you tame the DORA dragon once and for all!