On 3 July, 2024, we were joined by compliance and surveillance experts from across the financial services space as part of our Compliance & Conversation 2024 event. The event included a discussion between Bradley Rice, Partner, Financial Services Regulation at Ashurst and Global Relay’s Chief Strategy Officer, Alex Viall, exploring the potential impacts of the upcoming EU-wide Digital Operational Resilience Act (DORA) on the financial services sector – and how firms can get ahead of the impending changes.
You can watch the full session on-demand here, but we’ve summarized some of the key insights from the session below.
What is DORA?
The session began with Rice briefly contextualizing what the new DORA legislation has been designed to achieve. He sees it as “the next evolution of recovery planning”, and part of a wider global G20 initiative to ensure higher standards of digital resiliency across multiple industries.
Rice summarized that the regulation will apply directly to any regulated EU entity, including banks, insurers, and brokers, among many others. It also applies to companies that are part of a group. According to Rice, the DORA deadline is tight, with a ‘go live’ date of 17 January, 2025 leaving firms without much time to ensure their operational resilience efforts meet the new standard.
What are the DORA compliance challenges?
Rice explained that there are potential compliance challenges posed by the new legislation, in both comprehension and implementation of the new DORA rules. He sees a “lack of clarity” when it comes to firms identifying what a ‘critical function’ is, with previous or general understandings of that term not necessarily matching up to the definition within the new regulation, which he sees as being “much broader”.
For Rice, the rule change presents firms with opportunities, as well as challenges. It provides a good opportunity to “look holistically at operational resilience”, and for firms to go “back to basics” when examining their overall operational resilience planning and procedures. Rice emphasized that this will necessitate efforts and cooperation across multiple key departments within a business, a “marriage of disciplines” to ensure understanding and implementation of the new rules is comprehensive.
Another potential challenge that Rich highlighted is the amount of due diligence firms will need to undertake to gauge whether their DORA policy adjustments need to consider their third-party service providers. Rice sees this as being dependent on a firm’s risk attitude. If firms are sub-contracting a “material part of a service”, they will not only need to do the legwork to assess whether that third-party supplier should be taken into account, but will also need to “go down a layer” to consider whether that provider sub-contracts material parts of their services.
Which regulators are driving DORA?
When asked whether any specific EU regulators were driving DORA expectations, Rice said that it is “the usual suspects”. This includes the Autorité des marchés financiers (AMF) in France, which has listed operational resilience as a regulatory priority, the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) in Germany, and the Central Bank of Ireland (CBI), with the latter having largely mirrored the United Kingdom’s operational resilience regime. Depending on their structure and where offices are based, even firms that do not operate entirely within the EU may be subject to DORA rules, in the same way global firms must abide by European GDPR standards.
While there are some regulators leading this charge, Rice does not believe that we will see “any enforcement soon” around DORA. His view is that regulatory views will be similar to those around the introduction of MiFID II – firms will not be expected to be DORA perfect from day one, and providing evidence of a clear plan will be enough to stay on the right side of regulators initially.
Interestingly, there have been concerted lobbying efforts by firms and industry bodies to delay the DORA go-live date from 17 January, 2025 – efforts that Rice believes will be unsuccessful.
DORA and proportionality
DORA legislation includes a principle of ‘proportionality’ – essentially, that the way firms engage with the regulation is dependent on a number of ‘proportional’ factors. Firms assessing their DORA posture can make a start by “taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations”, and then using this as benchmark to decide how proportional their approach needs to be.
Rice sees some potential challenges with this, and was quick to remind firms that proportionality is “not a get out of jail free card” even if they operate within a “lighter touch regime”. An example given by Rice involved a representative of a firm being told that “there is no proportionality in Holland” – clearly, DORA expectations will vary across jurisdictions.
How can firms prepare for DORA?
The way that firms can best prepare for this is to “comply with everything”. Rice advised a risk-based approach that would see a firm comparing its current operational resilience policies against the DORA requirements, then identifying and filling any “gaps” in their posture to ensure full compliance. As Rice summarized, firms should “work with what they’ve got” and add to their existing policies and procedures, rather than starting from scratch.
While expectations around DORA implementation, timelines, proportionality, and preparedness might affect different firms and different jurisdictions to lesser or greater degrees, Rice’s key takeaway was clear: “Everyone needs to suck up the same terms and conditions”.
