It’s been half a year since the Digital Operational Resilience Act (DORA) was implemented, and it’s clear that many firms are still lagging behind in their compliance efforts. Too many are treating DORA as just another IT project, missing the mark on the cultural and governance changes the regulation aims to bring. Here’s why firms are struggling and how they can turn things around.
The Challenges Holding Firms Back
1. Silos and Legacy Systems: Organizational silos and outdated systems are major hurdles. Risk, IT, compliance, and security teams often work at cross-purposes, making DORA’s goal of joined-up resilience nearly impossible. Legacy systems lack real-time monitoring, leaving firms vulnerable to cyber threats and compliance failures.
2. Outdated Processes: Relying on spreadsheets and point-in-time information takes too long. By the time data is gathered, it’s already outdated. This reactive approach keeps firms stuck in a cycle of playing catch-up.
3. Lack of Board Engagement: Without top-level buy-in, investment decisions stall, and security and resilience are seen as operational rather than strategic issues. Firms only act when incidents occur or third-party breaches force their hand.
4. Limited Visibility: A recent Forrester study found that nine in ten financial institutions need better visibility to mitigate risk and meet regulatory obligations. Collaboration with partners can help fill this gap.
Where DORA Expectations Outpace Current Practices
DORA expects near real-time oversight, but many firms are still stuck with manual audits and periodic checks. Third and fourth-party risk management, threat-based penetration testing, and incident detection and reporting are also proving challenging.
Compliance Fatigue and Overlapping Frameworks
DORA overlaps with other frameworks like NIS2, GDPR, and PSD2, leading to “compliance fatigue.” Firms struggle to keep track of responsibilities and rising cyber threats.
Turning Compliance into Resilience
Despite these challenges, DORA presents an opportunity to build the resilience financial institutions need. Here’s how firms can make the most of it:
– Unify Teams: Create cross-functional working groups to break down silos and foster collaboration.
– Engage the Board: Ensure top-level buy-in and strategic decision-making.
– Assess Third-Party Risks: Map and continuously monitor dependencies, don’t just rely on supplier assurances.
– Invest in Technology: Automate processes for a continuous view of resilience.
Done right, DORA compliance isn’t just about ticking boxes. It’s about building trust, protecting the financial ecosystem, and embedding resilience as a competitive advantage. With cyber threats evolving rapidly, firms must tackle operational resilience proactively.
