DORA Is Here, So Now What?

The EU’s Digital Operational Resilience Act (DORA) has entered into force after years of preparation, affecting payments and e-money firms, banks, big tech, investment firms and crypto-asset service providers. 

DORA, which single-handedly deprived IT and compliance teams in the EU’s financial sector of any remnants of a Brat summer in 2024 has finally become an actionable piece of compliance. That means that the preparatory phase is over, and now, firms across the financial sector (20 different categories of financial services, to be precise!), are at the whims of the EU’s regulators in adherence to the ICT framework. Operational resilience has become an integral part of the EU’s digital transformation, and DORA will be a significant legal tool for regulators at member state level and supranationally to use against firms that fall short of the prescriptive requirements set out by the regulation. 

The implementation of DORA means much more pressure on financial institutions as they grapple with cyber resilience, and includes the monitoring of third-party risk, basic and advanced threat testing, and reporting of major outages. It will, of course, introduce a more streamlined and thorough process for reporting outages, and should make financial services resilience better. But, that does come with the caveat of new investments and workstreams being necessary to comply with burdensome rules and expectations. 

‍What should firms be thinking about now DORA is here?

The upcoming focus for DORA compliance will be on the DORA register of information. This will track dependencies and risks from ICT third-party providers, providing data to supervisory authorities. It covers all ICT services, with critical functions requiring detailed listing, and the European supervisory authorities (ESAs) plan to collect these registers from competent authorities by April 30, 2025.

This will be an easy starting point for regulators to assess compliance. They will be able to look into the data submitted by firms and if firms either don’t submit the data, or they submit poor data, then there is every chance that their national competent authority will come knocking at their door. For example, if you’re a small e-money firm, then you need to be thinking about adopting an ICT risk strategy to manage third-party dependencies, including critical services like cloud hosting and fraud detection, as well as non-critical functions like IT support.

Or, let’s say you’re a crypto-asset service provider (CASP) offering wallet services, crypto exchanges, and staking platforms. You’re already going through the new licensing process thanks to the Markets in Crypto Assets (MiCA) regulation, and you’re heavily reliant on third-party ICT providers for critical operations, including blockchain infrastructure for transaction validation, cloud storage for storing customer KYC data, and cybersecurity solutions for safeguarding assets. For example, one provider could be supplying critical blockchain infrastructure for core transaction functions, another could be providing critical cloud storage for customer KYC data, while a third delivers non-critical email services.

By the time the deadline to submit data to national competent authorities comes around, firms will need to categorise ICT contracts like this by their importance to business operations, in supporting business functions. Time is of the essence, and firms need to be thinking constantly about their operational resilience, their third-party relationships and their reaction should they be hit by a crisis such as an IT outage. The crowdstrike outage in 2024 revealed how easily stuff like this can happen, and frameworks like DORA only bolster the pressure for firms to respond proactively. 

‍

Want to stay up-to-date with DORA and other regulatory updates in the payments space?

Get in touch or book a demo to speak to a member of the Vixio team who can show you how the PaymentsCompliance platform can benefit your business.