How should RegTechs be preparing for DORA?
The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and is currently set to apply as of 17 January 2025. As the industry gears up for full implementation, how should firms be preparing for it?
In the view of Donal Lawlor, head of sales at ViClarity, RegTech firms that are deemed to be critical third-party providers to financial services firms will need to ensure that due diligence processes over any subtractor meet the minimum resilience standards set out by the regulators.
Lawlor exclaims that RegTechs will use the same five pillars as financial services firms. These are developing an inventory of critical systems, developing a testing programme, identifying the risks and mitigations associated with those systems failure, managing third-party risk management including exit and substitution planning and incident recording and reporting.
“In-scope Regtech providers to financial services firms will play a key role in helping their clients become DORA compliant. We see closer collaboration between ICT providers (Regtechs) and their clients in terms of testing and TPRM. By understanding their client’s obligations under DORA, and by supplying oversight data in a timely fashion, the RegTech can help their clients be ready for DORA,” said Lawlor.
Common misconceptions
Darragh Hayes, CEO of LEI Worldwide, believes that one of the common misconceptions surrounding DORA is that it only applies to regulated financial institutions (FI) under ESMA.
“Under DORA, each provider listed on a will need to be identified by way of Legal Entity identifier (LEI). Regtechs, fintechs, ICT providers, cybersecurity firms, system engineers and many more will be obliged to obtain an LEI Code come January if they are providing services to an FI under DORA,” he claims.
The LEI CEO added that the templates included in the draft ITS aim to identify unambiguously and consistently the ICT third-party service providers and the FEs using the LEI to enable an efficient aggregation of relevant information.
Another misconception, Hayes professes, is that DORA only applies to EU firms. Organizations based outside of the EU, providing services to FIs within the EU will also be obliged to obtain an LEI come January.
“This means that a fintech firm based in Silicon Valley or an IT consultancy in India would need to comply with DORA’s provisions, including obtaining an LEI, if their service footprint extends into the European financial market,” said Hayes.
Morever, Hayes explained that there is a misconception that DORA’s requirements are solely focused on cybersecurity.
“While cybersecurity is a crucial aspect, DORA’s mandate is much broader, encompassing all facets of digital operational resilience. This includes not just data protection and cyber threat mitigation but also the robustness of digital systems, the resilience of infrastructures, and the ability to recover from ICT disruptions. Fintechs and other service providers must therefore look beyond cybersecurity measures and consider their roles in ensuring comprehensive digital resilience,” explained Hayes.
He added, “In light of this, Fintechs and Regtechs should ensure they are DORA compliant by obtaining an LEI well in advance of January, and also ensure that any element of their service that is outsourced to another service provider will also have one. The alternative is to be DORA non-compliant and running the risk that the FI client organization requests you to formally obtain an LEI, the FI is in breach of DORA or the relationship is ceased.
“It is imperative for all affected entities to actively engage with the requirements of DORA, seek clarity on their obligations, however when it comes to the LEI component LEI Worldwide are running a DORA readiness campaign for both FIs and tech/cybersecurity providers.”
Plan ahead
Allison Lagosh – head of compliance at Saifr – stated that financial firms in scope will need to pay special attention and build in controls and procedures that comply with the regulation. It will also, she stated, impact firms doing business in the EU, similar in nature to GDPR protocols and scope.
What are some of the impacts and requirements of the proposed rule? Lagosh explains one key area is around common standards.
She said, “DORA will subject all firms to a common set of standards to mitigate ICT risks. This means that financial institutions will need to adhere to specific guidelines related to their information and communications technology infrastructure.”
Another area is increased oversight. On this, firms will face enhanced regulatory oversight regarding their operational resilience. This includes monitoring and reporting on their ICT systems, cybersecurity practices, and incident response capabilities.
Risk assessment and testing will also be key. “DORA may require firms to conduct regular risk assessments and testing of their ICT systems. This involves identifying vulnerabilities, assessing potential impacts, and implementing necessary safeguards,” said Lagosh.
A final area is incident reporting. Companies, Lagosh stated, will need to promptly report any significant ICT incidents to relevant authorities. This ensures transparency and facilitates coordinated responses during crises.
“Firms can prepare by examining current practices and enhancing them to accommodate new standards. GAP analysis should be performed, and legal and compliance teams should be engaged to develop a program in advance of the compliance deadline,” said Lagosh.
According to Nathalie Aubry-Stacey, head of regulatory affairs & compliance at Custodia, said, “DORA represents a significant shift in how financial entities must manage and report their operational resilience, particularly in relation to information and communication technology (ICT) risk. As this legislation comes into full effect in January 2025, the RegTech industry needs to proactively prepare to assist its clients in navigating these new requirements.
“Enhanced contractual documentation with clients will be crucial. DORA requires financial entities to maintain comprehensive documentation of their ICT risk management frameworks, including policies, procedures, and controls.
“Obtaining and maintaining outside certifications will be essential for RegTech companies. Certifications such as ISO 27001 can serve as a demonstration of a firm’s commitment to operational resilience and security. These certifications will help in meeting DORA’s regulatory expectations RegTechs should prioritise achieving these certifications but also keeping them up-to-date, showcasing the ability to safeguard against ICT risks and ensuring continuous compliance with evolving regulatory standards.”