Regulated firms face an avalanche of change. All eyes were on the Central Bank’s IAF/SEAR regime in 2023. Now, just as firms near the end of that implementation project, with most of the SEAR requirements becoming operational from July, attention is turning to the Digital Operational Resilience Act (DORA) with the implementation deadline of 17 January 2025 fast approaching.
In our experience, firms are only at the start of their implementation processes and legal stakeholders are only just beginning to become involved. Here are our five top tips to consider when launching an effective DORA implementation plan:
1. Define and identify your ICT risks
One of the best supports that Legal stakeholders can provide to a DORA implementation team is to ensure that from the outset the scope of the project is clearly defined. What third-party service provider arrangements are in-scope and which are out-of-scope? Where are the grey areas and what methodologies will your firm apply in these areas? To what extent can your firm leverage existing policies and procedures dealing with outsourcing to apply to DORA? What approach will your firm take to proportionality and how can this be best justified?
All of these questions require Legal stakeholder input. Your ICT and Compliance stakeholders can do a much better job of identifying your sources of ICT risk, information and ICT assets, roles and dependencies and interconnections with third-party providers as required by Article 8 of DORA when Legal has helped them to scope the exercise. Approaching this in a pragmatic way that reflects the scale and complexity of your business will make everyone’s lives easier down the line.
2. Engage with ICT service suppliers
Start now! Contractual negotiations take time, in particular, if you need to negotiate with a third-country supplier who is not familiar with the scope of DORA. Don’t assume that because you have completed a contractual uplift exercise for EBA/EIOPA/Central Bank outsourcing purposes, DORA uplift will be a small task. This entirely depends on your contract landscape and your scope determination.
3. Leverage existing frameworks
Don’t create standalone policies and procedures specifically for DORA. It’s always tempting to “tick-the-compliance-box” by having a document marked “policy” for every requirement but your stakeholders won’t thank you for it later. Look at your existing ICT risk management framework and look to uplift it. And think of your internal governance processes and what will be needed to finalise policy revisions in time for January 2025.
4. Get Board buy-in
DORA requires full Board engagement for ICT risk management. Get your Board involved now, put DORA implementation plans on the Board and Risk Committee agendas and keep the Board regularly updated on developments. The Board will appreciate a briefing on the legal risks and requirements under DORA, so think about doing this or engaging consultants to do it.
5. Assemble your resources
We offer a range of cost-effective lawyer-led service offerings to provide your leadership team with comfort and assurance regarding your firm’s DORA implementation. We are currently advising several regulated firms on their DORA implementation projects, so talk to us if your legal stakeholders need resources and support.
For more information and expert advice on making preparations for the implementation of DORA, contact a member of our Financial Regulation team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
