DORA implications for Tech Providers

It is estimated that more than 3.6 billion individuals globally will leverage online or mobile banking services to conduct their financial needs by 2024. Many of us who fall in that category often wonder how our financial institutions work to protect our information as well as ensure we’re able to have access to that information whenever and wherever we need it. Well, the European Union has thought the same thing and has designed a regulatory framework-the Digital Operational Resilience Act (DORA)-that requires EU financial institutions to ensure just that-Digital Operational Resilience.

This new regulation requires these financial institutions to maintain a resilience program designed to plan, prepare, mitigate, and practice for disruptions from their information and communications technologies (ICTs) service providers in a way that can reduce the likelihood of a disruption to their customers. This regulation, truly the first of its kind, puts a lot of pressure on technology providers to have in place a robust resilience capability that covers their business, technology, and third parties to maintain the services to the financial institutions. In particular, regulators have found that the interconnectivity amongst financial institutions and ICTs could pose a systemic risk due to an accelerated reliance on said ICTs along with the evolving and rapidly growing concerns for cyberthreats.

DORA provides financial institutions with a two-year runway to implement any programs and practices to meet the new regulatory requirements; however, tech providers should also be equally preparing for that timeframe as well. Whilst the regulation hasn’t yet mandated ICTs to align with the regulation or be designated as a critical third party (CTP), it’s only a matter of time before it extends to them.

Organisations that already have an operational resilience (OR) or Business and Technology Resilience (BTR) program in place shouldn’t have a huge overhaul to align with DORA as those are the building blocks for DORA. Organisations that do not have a defined OR/BTR program in place should start working now to be prepared with the end goal of having a Mature OR/BTR program that addresses C-Suite concerns.

Technology service providers should consider the following to prepare for DORA and official enforcement date of January 16th, 2025:

1. Determine if you are considered an ICT deemed as a CTP by the regulatory body or a financial institution. To determine if you’re considered a CTP, you should:

a. List your key financial services clients and services provided to them;

b. Evaluate what could be deemed "critical";

2. Perform a DORA readiness assessment that will assess your current level of compliance with the regulation and identify immediate next steps to bolster your resilience and prepare for DORA. There are a couple of ways to conduct your assessment:

a. Identify an individual within the organisation that has a deep understanding of the regulation and conduct a self-assessment to understand current alignment with the regulation.

b. Reach out to your KPMG account manager and discuss the options KPMG provides to support our clients in resilience, including our DORA Readiness assessment toolkit accelerator.

3. Form a DORA program and governance team that can:

a. Draft an initial plan to tackle the requirements of DORA.

b. Create a charter that defines the actions your organisation is taking to comply with the regulation.

c. Create a review process to ensure compliance with the internal and external mandates.

d. Ensure adequate synergies and interlocks amongst firmwide in-flight Operational Resilience and DORA programs.

This leads us to the ultimate question – do you have a business and technology resilience programme currently in place? And if so, are you ready for DORA? Now is the time to take action to accelerate your journey to becoming a more resilient business.

Please reach out for a conversation to discuss your strategic resilience journey and DORA readiness.