The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

This legislation presents both an opportunity and a challenge for the industry, marking a pivotal moment for financial services institutions (FSIs). 

While many FSIs have implemented measures to address DORA, significant gaps still remain in achieving full and efficient compliance. Key challenges include inadequate automation in data gathering and report creation, as well as poor data quality, which often forces institutions to rely on manual or semi-automated processes. Additional areas of concern include Third-Party Risk Management, fragmented IT Systems, Incident Reporting, resource and skill Gaps, regulatory unclarity, and additional observations related to organizational scale and cross-border complexity. Navigating this complex landscape requires a clear understanding of the critical steps needed to ensure compliance and safeguard operations.

Why DORA Matters

DORA aims to enhance the security and resilience of ICT systems within the financial sector. It provides a harmonized framework for managing ICT risks, reporting incidents, conducting resilience tests, sharing information, and managing third-party risks. Compliance with DORA offers FSIs the opportunity to upgrade their digital operational resilience and achieve several strategic benefits:

Figure 1: Benefits of achieving DORA compliance

Challenges and Opportunities

Despite the clear benefits, achieving DORA compliance is not without its challenges; however, it also presents considerable opportunities for FSIs to enhance their operations. FSIs must invest in their ICT systems and processes, enhance governance and oversight, improve awareness and training, and strengthen collaboration with stakeholders. They must also ensure they have the necessary skills, resources, and capabilities to manage ICT and cyber risks effectively.

FSIs should take the following steps to comply with DORA:

• Establish a robust ICT risk management framework: Align with business strategy and risk appetite, approved by the management body.
• Identify and map critical functions and ICT assets: Conduct business impact analyses based on severe disruption scenarios.
• Monitor, record, and classify ICT-related incidents: Notify competent authorities and stakeholders promptly.
• Conduct regular and advanced digital operational resilience testing: Address vulnerabilities and gaps.
• Define and implement a policy for ICT third-party service providers: Perform due diligence, risk assessment, and contractual supervision.
• Share information and intelligence: Collaborate with regulators and financial entities on ICT-related threats.

Challenges FSIs are currently facing while implementing DORA compliance:

Table 1: Challenges FSIs are facing while implementing DORA

These challenges underscore the importance of DORA and the need for FSIs to fully commit to achieving digital operational resilience.