Implementing DORA compliance successfully

Anthony Long at LRQA outlines four key challenges to DORA implementation

 

The European Union’s Digital Operational Resilience Act (DORA) will become mandatory on 17th January 2025. Financial institutions across the EU are therefore faced with the complex task of ensuring operational resilience to withstand and respond to cybersecurity and ICT-related disruptions. Despite the Act’s critical goal of enhancing digital resilience, achieving compliance presents distinct challenges.

 

At LRQA, we have identified four key obstacles businesses must be aware of in order to prepare for the approaching deadline.

 

1 Data aggregation 

DORA requires a comprehensive understanding of an organisation’s ICT assets, making data aggregation crucial for achieving compliance. However, centralising data from diverse departments and systems poses a major challenge. Data aggregation involves compiling information on ICT assets, risk assessments, incident response protocols, and third-party providers, all of which are often siloed within disparate systems.

 

This fragmentation can lead to inefficiencies in data management, complicating efforts to establish a unified, enterprise-wide view of ICT risk. To mitigate these issues, companies should develop a centralised data governance framework that enables streamlined data flow across departments.

 

Such a framework helps make certain that critical information is accessible and manageable – necessary for maintaining a real-time view of potential vulnerabilities and regulatory adherence. Effective data aggregation is essential not only for compliance but also for establishing robust digital resilience.

 

2 Legacy systems 

The reliance on legacy systems in financial institutions presents a substantial challenge for DORA implementation. Older technology infrastructures often lack the flexibility and security capabilities required to meet the stringent requirements that businesses will have to fulfil.

 

These systems, which may have been developed well before modern cyber-security protocols became commonplace, can create vulnerabilities that hinder an organisation’s ability to maintain resilient operations and be DORA compliant. The time and resources required to update or replace legacy systems to meet incoming standards are considerable, hence the need to prepare now ahead of the deadline.

 

In response, financial institutions should conduct a thorough assessment of their current technology landscape to identify outdated systems that may pose compliance risks. This assessment should be followed by a phased strategy for system hardening, upgrades or replacements, prioritising areas with the most critical vulnerabilities. While system overhauls are costly, investing in resilient infrastructure is vital for both regulatory compliance and long-term operational stability.

 

3 Regulatory uncertainty 

Navigating regulatory uncertainty is another challenge, as compliance requirements can be subject to interpretation across jurisdictions. While DORA aims to unify digital resilience standards, the enforcement and oversight mechanisms may vary at both EU and national levels, adding complexity for multinational organisations.

 

Additionally, some specific aspects of DORA’s application remain in development, leaving gaps in how certain compliance measures will be assessed by regulatory bodies.

 

To address this uncertainty, businesses should actively engage with regulatory bodies and industry groups to stay updated on evolving guidelines and expectations. Establishing open communication channels with regulators and participating in industry discussions can help organisations clarify compliance requirements. By staying informed, businesses can better anticipate potential regulatory shifts and adapt their implementation strategies accordingly.

 

4 Talent shortage 

There are fewer cyber-security and risk management professionals to meet growing demand for their skillsets, posing a significant barrier to DORA implementation. As financial institutions seek to build resilient ICT systems, the need for specialised expertise in compliance, digital risk, and operational resilience continues to increase. Yet, the industry faces a skills gap that limits the availability of qualified professionals to support these efforts. For many organisations, this talent shortage can lead to delays in compliance or reliance on over-stretched internal teams.

 

To overcome this, companies should look into partnering with external assurance providers who possess deep regulatory expertise and the specialised skills needed for compliance. Leveraging external resources can provide the necessary support for implementing complex requirements to meet compliance in January, allowing internal teams to focus on core operations.

 

Additionally, investing in training and development programs for current employees can help close the skills gap in the longer-term, ensuring the organisation is equipped to meet ongoing resilience standards.

 

Preparing now

Implementing DORA compliance requires careful planning and resource allocation, as well as a proactive approach to overcoming challenges like data aggregation, legacy systems, regulatory uncertainty, and talent shortages.

 

While these challenges may seem daunting, preparing now is essential for resilience and regulatory adherence in a landscape where digital threats continue to evolve. By working with a trusted third-party assurance partner, businesses can gain the expertise and support needed to navigate new requirements confidently and effectively.

 

---

 

Anthony Long is VP, Advisory Consulting at LRQA.com

 

Main image courtesy of iStockPhoto.com and mixmagic