Firms Have Made Strong Progress on DORA Compliance But There is More Work To Do

Published: January 17, 2025

Marija Devic, Consultant at Capco, comments on the progress made so far on today’s EU DORA implementation, and the work firms need to do to ensure ongoing compliance

“The EU’s Digital Operational Resilience Act (DORA) regulation came into effect today (Day 1). With a focus on information and communication technology (ICT) risks, DORA has raised a bar and imposed prescriptive requirements for a broad range of financial entities and third-party service providers.

The regulation aims to enhance their operational resilience and ensure robust measures are in place to prevent, detect, respond to, and recover from ICT-related incidents and disruptions. Whilst firms have made progress for Day 1 go-live, there is a substantive book of work to complete in 2025 and beyond (Day 2) to ensure compliance with the regulation and build strategic operational resilience capability."

As firms plan their Day 2 remediation activities, they need to ensure they can demonstrate to their customers, regulators and other stakeholders their commitment to maintaining a high level of digital operational resilience. Below outlines common areas where we expect firms to focus in 2025 to achieve DORA compliance effectively and efficiently and drive broader transformational change.

Third-party risk management. Augmentation of ICT third-party risk management practices, including completion of registers of information and negotiation and amendments to contracts for all remaining ICT third-party service providers, enhancements of concentration risk frameworks, and development of exit plans and testing for all ICT third-party service providers supporting Critical or Important Functions (CIFs).

ICT Risk management framework and tools. Enhancement of internal governance and control frameworks, processes, systems, tools and measures / key performance indicators (KPIs) and key risk indicators (KRIs) to enable effective management of all ICT risks. Implementation of gaps related to technology and cyber provisions, such as network segmentation, encryption and cryptographic controls, anomalous activity detection and logging protocols and tools.

Testing. Expansion of scope, alignment and level of sophistication of existing practices and tests under the overarching “digital operational resilience testing” program, for example, scenario testing, TLPT.

Incident management and reporting: Alignment of incident management processes, classification and reporting format and process to DORA’s requirements.

Integration and efficiency. Integration of global operational resilience and risk capabilities in response to EU DORA and other regulatory requirements. Definition of a sustainable framework and operating model and streamlining and realising efficiency gains through use of technology and GenAI.“

Capco

Article Last Updated: January 17, 2025

Firms Have Made Strong Progress on DORA Compliance But There is More Work To Do

HSBC Rolls Out Market-First Cross-Currency Netting in Mainland China

Firms Have Made Strong Progress on DORA Compliance But There is More Work To Do

EIB and Societe Generale Announce Agreement to Stimulate up to €8 Billion Investment in the Wind Industry

New Report Reveals Account Name Verification Tops Finance Teams’ Technology Priorities