Discover how FundsDLT is aligning with the requirements of the Digital Operational Resilience Act (DORA) with Arthur Raineau-Rispal, Head of Risk, and Sonia Garcia, Head of Compliance. They point out that as a regulated entity, the company is in a strong position to ensure service continuity and security for all stakeholders.
Increasing digital transformation in the financial sector brings with it a high degree of interconnectedness and increased ICT risks. In this context EU Regulation 2022/2554, better known as DORA, emerged as a response to the need for enhanced operational resilience within a unified regulatory framework in the EU.
DORA introduces stringent requirements for financial entities in the EU and affects their ICT service providers both inside and outside Europe, who need to comply with the requirements if they wish to continue serving these financial institutions. FundsDLT is both an EU-regulated financial entity and a service provider and this dual role offers a distinct advantage. It not only means the company is an attractive partner for financial institutions looking for providers with compliant and reliable digital operations, but crucially, it gives FundsDLT a deep understanding of DORA requirements as they are applicable to regulated entities.
DORA at a glance
The Digital Operational Resilience Act is a detailed EU regulation designed to enhance cybersecurity and operational integrity in the financial sector.
As a business continuity-centred regulation, DORA is not solely about fortifying digital defences, it's about ensuring a resilient, uninterrupted operation of financial services amidst a landscape of increasing cyber threats and operational disruptions.
It emphasises proactive, ICT- related Incident management, digital operational resilience, transparent third-party governance and enhanced ICT and security risk management practices.
DORA standardises resilience practices across EU states, improves incident reporting, and encourages collaborative efforts to reduce systemic risks.
By January 2025[1] EU financial entities must comply with DORA, following its detailed implementing and regulatory timeline with technical standards released in stages
Navigating the digital shift: The financial sector and DORA compliance
A possible 22,000[2] financial entities and ICT service providers within the EU – not to mention those service providers beyond its borders but who are still impacted – have eight months remaining to align with DORA’s rigorous standards.
For the financial sector, DORA is not merely a regulatory hoop to jump through, it is a transformative opportunity. Let’s examine some of the reasons why this is so.
Firstly, it compels entities to fortify their digital core, placing the onus on management to spearhead a resilient digital operational strategy. This requires a meticulous examination of current digital frameworks, ensuring that the strategic oversight of digital operational resilience is robust.
"DORA can help the financial industry see ICT and an interlinked ecosystem differently as it represents a fundamental improvement in resilience and ICT governance culture."
Sonia Garcia, Head of Compliance
Acknowledging the sector's deep-seated reliance on ICT systems, DORA places new demands on institutions to ensure continuous, reliable service in the digital age. It spotlights the necessity of transparent management of third-party ICT service providers, driving entities to thoroughly assess and understand the ramifications of outsourced digital services and the risks they may pose.
Regarding these service providers, transparency is critical in the management of them under DORA. The regulation extends its reach to the outsourcing chain, compelling financial entities to scrutinise and understand potential vulnerabilities that could impact operational stability, offering a holistic view of the risks in play.
In the realm of incident management, DORA ushers in a new era of incident reporting, mandating identification and response at EU level. Through detailed incident reporting – including criteria such as the geographical reach of the incident, the severity of impact on services and the duration of the incidents – the act aims to cultivate a financial environment where rapid response and recovery become the norm, minimising the impact of any given crisis.
Collaboration and information-sharing are also part of DORA. The collective approach is designed to strengthen the sector's defences, creating a united front against cyber threats.
Finally, with DORA, the EU is setting a precedent for digital operational resilience, striving for uniformity across member states. This harmonisation promises a consistent and fair playing field for all financial entities, reducing fragmentation and promoting collective security. Most importantly, as ICT services can come from anywhere in the world, DORA’s influence extends beyond EU borders, affecting entities globally that provide ICT services to the EU financial sector. Notably, this group includes the major cloud providers such as Microsoft Azure, Google Cloud and Amazon Web Services. This regulatory reach ensures that the pillars of digital operational resilience are upheld, regardless of geographical location.
"The introduction of DORA represents both a challenge and an opportunity. Adapting to these stringent standards, particularly in managing the complexities of blockchain technologies, demands significant resilience testing efforts."
Arthur Raineau-Rispal, Head of Risk
Viewing DORA through a strategic lens reveals more than compliance—it heralds a chance for financial entities to refine and elevate their resilience. Moreover, the regulatory compliance process inherent in complying with DORA serves as a practise step for navigating future digital regulations, such as those pertaining to Artificial Intelligence[3]. By complying with DORA, the financial sector not only meets today's regulatory requirements but also lays a robust foundation for the ongoing digital transformation of finance.
FundsDLT strategy for DORA compliance
For FundsDLT, especially given its dual role as both a regulated financial entity and an ICT service provider, the introduction of DORA ushers in a multitude of changes that demand a keen understanding but also reflect the company’s mission of operational integrity in a digitally transformed fund distribution chain.
"At FundsDLT, complying with DORA not only involves rigorous updates but also affords us a chance to demonstrate our robustness as a leading-edge provider."
Arthur Raineau-Rispal, Head of Risk
FundsDLT as a financial entity
Directly, as a financial entity, FundsDLT faces the substantial task of aligning its operations with DORA's rigorous requirements. This transition, although as laborious as it is for other entities, reinforces the alignment of critical functions and paves the way for implementing best practices across the board from ICT risk management to incident reporting.
However, these changes are not without their challenges. FundsDLT is a small entity (compared to other financial institutions) and DORA requires exhaustive reviews and updates to existing frameworks to meet the harmonised standards. Additionally, we work with service providers from around the globe and are obliged to carefully manage the risks associated with our non-EU service providers, ensuring compliance without compromise.
FundsDLT as a service provider: rising to the occasion
The impact of DORA on FundsDLT as a service provider, however, is more nuanced. Positioned within the EU and already operating under financial regulations due to its licenses, the company is primed for compliance. This regulatory alignment presents a unique advantage, positioning FundsDLT as a robust and reliable service provider in the eyes of clients who value adherence to stringent operational standards.
Despite this advantage, the company is not impervious to the challenges DORA brings. The sophisticated nature of our infrastructure, which incorporates both cloud and blockchain technologies, makes resilience testing a particularly demanding endeavour. Nonetheless, we are steadfast in our commitment to maintaining and enhancing its operations.
Competitive edge and forward-looking compliance
For FundsDLT, DORA is not only a regulatory milestone but also a strategic opportunity to stand out among service providers. The company’s inherent compliance with financial regulations provides a competitive edge, assuring clients of FundsDLT’s commitment to resilience, security and operational integrity. This compliance is not merely about meeting regulatory expectations; it's about creating a blueprint for future operations - a future where processes are inherently resilient, secure, and trustworthy.
Looking ahead, FundsDLT embraces DORA with a forward-thinking mindset. Though the work ahead is substantial, especially for a smaller entity, it is viewed as a crucial step in crafting a more resilient and operationally sound organisation. By implementing DORA’s requirements, FundsDLT is not just future-proofing its business—it’s also solidifying its reputation as a pioneer in digital operational resilience within the financial services sector.
In conclusion, DORA represents a transformative opportunity for the financial industry, urging entities to elevate their operational and digital capabilities. The broader implication for the industry lies in harnessing DORA as a catalyst for enhanced digital transformation and collaboration.
References
[1] ESAs publish first set of rules under DORA for ICT and third-party risk management and incident classification (europa.eu)
[2] https://www.pwc.lu/en/digital-operational-resilience-act.html
[3] https://www2.deloitte.com/nl/nl/pages/risk/articles/the-digital-operational-resilience-act-finding-patterns-across-digital-regulations.html