Now in force, DORA has proved challenging for many IT leaders to achieve compliance, particularly around third-party providers, suppliers, and subcontractors.
In force since January, the Digital Operational Resilience Act (DORA) has required considerable effort from CIOs and CISOs at 20 types of financial entities to achieve compliance. For many, the journey is not complete.
“In the past months, financial entities targeted by DORA have been busy internally defining roles and responsibilities related to ICT security, identifying the major risks within essential and important functions, developing a cyber threat management framework that includes policies and procedures for monitoring ICT resources, and preparing the necessary measures to ensure control of the supply chain,” emphasizes Giulia Mariuz, a lawyer at law firm Hogan Lovells.
DORA, which aims to strengthen operational resilience in the banking and financial sector, includes five pillars IT leaders must address: information and communications technology (ICT) risk management, test management, incident management and reporting, third-party risk management, and sharing information on vulnerabilities and threats between financial entities, this final pillar being optional.
Compliance is proving to be a burden especially for third-party risk management, which requires reviewing contracts with ICT suppliers. This element of DORA requires CIOs and CISOs to screen their IT outsourcers and, with support from legal, renegotiate contractsto include appropriate clauses that protect the company from a cyber-resilience point of view.
“The chief information officer of the financial entity will have to promote and monitor the due diligence of internal activities,” highlights lawyer Maria Roberta Perugini. “The CIO must have a map of the regulatory obligations, evaluate how they fit with the current reality, see what is missing — through gap analysis — and then collaborate in the selection and evaluation processes of suppliers and subcontractors and in translating all this into contractual clauses addressed to the many and different ICT suppliers that make up the supply chain of the financial entity, all of which must allow it to be compliant.”
DORA, complex compliance for businesses
The task is particularly challenging for smaller companies, which typically have fewer resources, financially and in terms of personnel.
“As often happens with such ambitious regulations, the path to compliance is particularly complex,” says Giuseppe Ridulfo, deputy head of the organization department and head of IS at Banca Etica. “This is especially true for smaller entities, such as Banca Etica, which find themselves having to face significant structural challenges. DORA, although having shared objectives, lacks a principle of proportionality that takes into account the differences between large institutions and smaller banks.”
This is compounded for smaller organizations due to the prevalence of outsourcing for these firms, Ridulfo explains.
“This operating model, which allows access to advanced technologies and skills, clashes with the stringent requirements of the regulation, in particular those that impose rigorous control over third-party suppliers and complex management of contracts relating to essential or important functions,” he says. “For a small bank, ensuring that every detail is compliant with DORA requires considerable effort, aggravated by often limited human and financial resources.”
The delay in the arrival of the Regulatory Technical Standards (RTS) does not help.
“The legislator has not completed the regulatory process,” says Giancarlo Butti, an auditor and expert in privacy and security. “To date, only some of the delegated regulations have been officially released, so financial entities that are, for example, redefining contracts with suppliers will subsequently have to — once the other delegated regulations arrive — add the part relating to the management of relationships with subcontractors. It is very important, in fact, that financial entities carefully consider the risk of the entire supply chain. An aspect that is not considered enough is that the impact of DORA does not only involve financial entities but, indirectly, the entire ICT supply chain.”
The complexity of DORA, therefore, is not in the text itself, although substantial, but in the work it entails for compliance. As Davide Baldini, lawyer and partner of the ICT Legal Consulting firm, points out, “DORA is a very clear law, as it is a regulation, which is applied equally in all EU countries and contains very detailed provisions. By comparison, NIS2 is based on principles and is a directive, so each member country has room to maneuver in its implementation. However, DORA is very prescriptive, and this makes compliance complex in terms of time and the human and financial resources that need to be deployed.”
The ICT supplier management knot
Many financial institutions — large and small — are lagging behind in reviewing their ICT supply chains, which can include multiple technology providers, suppliers, and subcontractors.
“The law imposes what is called unwavering responsibility,” Baldini says. “Simply put, the banks are responsible if the supplier is not reliable from a security standpoint, even if there is a proportionality on the importance of third parties. Financial institutions are required to have a register with information on third parties, indicating who they are, what products they provide, and so on, including contractual documentation. And this is only the first step: There is an obligation to communicate this information to the competent authorities at least once a year. It is a burdensome process.”
Of course, CIOs and CISOs may require more or different technologies from its vendors to ensure operational cyber resilience, and the vendor may not be able to provide the services requested or may be forced to renegotiate prices.
“The current draft regulation on the subcontracting chain conditions the conclusion of the subcontracting contract to the active intermediation of the supplier, explicitly establishing both that the supplier must ensure that the contractual obligations of the subcontractors allow the financial entity to comply with all applicable rules, and that the supplier is responsible for the provision of the services provided by the subcontractors,” says lawyer Perugini.
This is a particularly delicate aspect, because, if it is true that responsibility in the case of non-compliance lies with the financial entity, this will probably pass on (in terms of possible compensation for damages) to the first supplier in its chain.
Challenges for IT leaders: IT governance
Evaluating the company’s IT systems for resilience and its third-party relationships for risk are critical for DORA compliance, but technical measures are also required by the law, such as network security assessment or penetration testing, that CIOs will have to follow in coordination with third parties, who are typically entrusted with these highly specialized services at most financial organizations.
Another key challenge is strengthening IT governance.
“The regulation requires the establishment of an independent, robust ICT risk control function capable of effectively monitoring all activities related to digital operational resilience,” observes Ridulfo of Banca Etica.
For smaller companies, this means investing in training for internal staff or, if necessary, hiring new resources, which involves costs and timeframes that do not always align with regulatory deadlines.
“It’s a double challenge,” Ridulfo says. “On the one hand, we need to build internal skills; on the other, these skills must be adapted to a regulation that is constantly evolving.”
Even for a lean and digital bank like AideXa, the challenge of compliance is the evolving nature of the processes and control structures required by the new regulation. At the same time, being digital-native has been an advantage.
“Our business continuity plan was already created to allow us to be cyber-resilient. And we already had requirements such as service-level obligations and business continuity in our contracts with ICT suppliers,” says Elena Adorno, CIO and COO of Banca AideXa. “DORA is certainly a complex regulation and involves costs for financial entities, but we are in the scale-up phase and therefore we have managed to include and converge the objectives within the industrial plan that already included investments and growth.”
Still, Adorno adds, “the fact remains that there is a lot of work to be done on the path towards compliance and it is daily and pervasive, both in terms of the technologies to be adopted and risk management.”
How to proceed with new ICT contracts
Another key challenge for IT leaders will be what it takes to replace any supplier or subcontractor that does not enable perfect compliance with DORA.
“Financial entities do not have much bargaining power with suppliers,” Butti observes. “If the supplier does not adhere to the contractual adjustments proposed by the financial entity, it is not certain that the latter will easily find another that will accept them, and the migration could, in any case, have a high cost. At that point, adequate risk management is needed: A single supplier that does not adhere to the proposed requirements could lead to the acceptance of a certain level of risk by the financial entity, but not be easy to replace.”
If this risk is weighted against a larger portfolio of compliant suppliers, it could be acceptable. But this is where management and governance come in for the financial entity, evaluating and negotiating new clauses on a case-by-case basis.
“It is unthinkable to impose your own security policy and a standard contract on all suppliers; the reality is that it would require a negotiation with each individual supplier, who may have already implemented the requirements requested by the regulation with solutions different from those proposed, but still compliant,” says Butti. “Think, for example, of a supplier that serves dozens of financial institutions; it is unthinkable that it adapts to the requests of each one.”
Generally speaking, explains lawyer Perugini, the contractual scheme proposed by financial entities to suppliers must reflect not only the minimum contents explicitly provided for by DORA and other supplementary regulations, but also the internal regulatory elements — organizational rules to be translated into policies and procedures — necessary to effectively guarantee the financial entity all the flexibility to fulfill the governance and control obligations of its ICT risks.
“The necessary coordination will therefore involve translating into contractual clauses the internal governance obligations that the law places exclusively on the financial entity,” says Perugini.
DORA presents opportunities as well
DORA is also very focused on business continuity, so it is important for the CIO to have business continuity and disaster recovery policies in place.
“These are also useful for GDPR compliance and, in general, it can be said that the complex work of adapting to DORA has the positive side effect of helping companies adapt to other EU regulations, starting, precisely, with that on personal data,” says Baldini of ICT Legal Consulting. “Compliance with DORA, in fact, leads to diligent management of IT risk and third-party risk and this leads to compliance with many regulations applicable to banks, in addition to ensuring better cybersecurity and cyber resilience, which is exactly the purpose of the law.”
Banca Etica’s Ridulfo also emphasizes that, despite the difficulties, DORA also represents an opportunity to strengthen operational resilience and create a safer and more collaborative financial ecosystem: investing in skills, developing automation tools for compliance, and adopting a more collaborative approach, for example through the exchange of information on cyber threats, can help not only respond to regulatory needs, but also build a more robust future for the entire sector.
“Digital resilience is not only a regulatory obligation, but also a responsibility towards customers, partners, and the financial community. [CIOs’] task is not only to ensure compliance, but also to transform this journey into an opportunity to build safer and more sustainable systems,” observes Ridulfo. “The path to achieving this goal is far from linear and requires continuous commitment to balance regulatory requirements with available resources and operational capabilities.”
Banca AideXa’s Adorno is keen to point out that DORA has potential positive implications for smaller companies, starting with increased bargaining power with technology suppliers.
“If, on the one hand, the task of reviewing all contracts with the ICT supply chain is burdensome, companies — often with little bargaining power towards big tech companies that did not fall within the scope of ICT outsourcing — can now leverage requirements that are governed by the regulation,” he says.
Another benefit is that DORA gives impetus to the industrialization of processes.
“The DORA requirements allow us to accelerate the automation of non-core processes,” he explains. “The reduction of manual activities was planned in our business plan, but now this regulation provides an additional stimulus.”
The next few months will be crucial
Currently, there is a widespread delay in DORA compliance, and as Baldini states, “This first year will serve as a running-in period.”
Lawyer Giulia Mariuz of Hogan Lovells observes: “It is in the coming months that companies subject to DORA will have the opportunity to test the measures put in place within their risk management frameworks and due diligence processes on third-party ICT service providers, and any subcontractors, as well as the robustness of the contractual measures adopted in compliance with the requirements of DORA.”
Here, Giulia Mariuz stresses the importance of multidisciplinary teams: “The CIO, together with the legal and compliance functions and with the active support of the CISOs, will have a central role.”
The regulator will also have to do its part. Ridulfo underlines the complexity for the IOC to manage the continuous evolution of the regulatory framework.
“In addition to the regulation itself, which is already inherently complex, the production of RTS, ITS implementation technical standards and guidelines by European authorities adds a further layer of uncertainty,” Ridulfo concludes. “The changes introduced by these delegated acts can substantially alter ongoing projects, forcing banks to rethink plans already under way and to allocate additional resources for constant updates. This dynamic makes the planning and implementation work extremely complex, turning the compliance process into a race against time in a constantly changing terrain.”
