Who Needs to Comply with DORA? Scope and Affected Companies

Introduction

The Digital Operational Resilience Act (DORA) helps to strengthen the European financial market infrastructure against digital risks. While there are legitimate reasons why some institutions may pursue alternative compliance approaches, the increasing number of cyber threats and the growing importance of technology in financial services make compliance with DORA regulations crucial for many companies in Europe. Not only because the financial penalties can be substantial, but also due to potential audit errors, operational disruptions, and damage to corporate reputation. In this article, we aim to clarify the scope of DORA and outline which companies are affected and what consequences non-compliance may have.

This topic is particularly relevant for European financial service providers, as they bear a significant responsibility for the stability of financial systems due to their central role in the economy. Compliance with DORA can not only help minimize risks but also enhance customer trust. We want you to have a clear understanding of how DORA affects you and your company and what steps you need to take to meet the requirements after reading this article.

The Central Problem

When addressing DORA, it is not only about meeting regulations but also about ensuring the efficiency and security of financial services. In fact, the actual costs of non-compliance with DORA can be significant. Suppose a bank managing €1 billion in assets loses an average of €5 million per year due to the failure to implement DORA measures because it makes riskier investment decisions or does not adequately protect against cyber-attacks. Moreover, non-compliance with DORA also deteriorates operational efficiency, as it leads to more time spent on compliance tasks and restricts flexibility in decision-making.

However, most organizations err in viewing DORA merely as a bureaucratic hurdle. They overlook the fact that DORA helps enhance the resilience of the organization against external threats while simultaneously improving internal management. As stipulated in DORA Regulation Art. 28(2), financial service providers must continuously update their IT infrastructures and ensure compliance with the latest security standards.

In some cases, non-compliance with DORA can also lead to serious legal consequences. If an institution is unable to demonstrate its compliance with regulations, it may face fines from the financial supervisory authority BaFin or other competent authorities of up to €10 million or 20% of its annual total revenue, whichever is greater. This underscores the seriousness of the regulations and the necessity to actively engage in DORA compliance.

Why This is Urgent Now

The urgent need for compliance with DORA arises not only from legal requirements but also from recent regulatory changes and enforcement actions. In 2023, the European Union adopted DORA, which applies to all financial service providers in the EU that utilize digital technologies. This regulation aims to ensure the stability of financial systems while keeping the European financial services market competitive. Therefore, compliance with this regulation is crucial for all companies operating in this market.

Additionally, market pressure is increasing as more customers demand that financial service providers meet certain certifications and compliance standards. The ability to demonstrate compliance with DORA can thus serve as a competitive advantage and increase an organization's market share.

In practice, this means that companies lacking the necessary compliance measures may face a competitive disadvantage. It is therefore critical that you adapt quickly and make the necessary investments in compliance solutions to meet DORA requirements while maintaining competitiveness.

In summary, compliance with DORA is of great importance not only due to legal requirements but also because of the growing significance of compliance in the financial sector. In Part 2 of this article, we will delve deeper into the specific requirements of DORA and show you how to effectively prepare your organization for compliance with this regulation.

The Solution Framework

To tackle the challenges of DORA compliance, a step-by-step approach should be followed. First, it is necessary to analyze the requirements of the regulation and determine which provisions are relevant to your organization. In particular, DORA Articles 4, 5, and 28 are significant, as they govern compliance with IT and cybersecurity standards.

First, create a list of specific obligations under DORA. Article 4 provides detailed information on the general security measures that must be taken to minimize risks related to business operations. Article 5 covers access to operations and the operational prohibition should a financial service provider fail to meet the requirements. Article 28 establishes the obligation to verify the reliability of IT systems and IT services and their compliance with security standards.

Next, you should develop a compliance roadmap that details the implementation of these requirements for each affected business segment and process chain. Define clear goals, such as reducing the audit preparation time from six weeks to five days, and continuously measure progress.

The quality of compliance implementation should be rated on a scale from "good" to "just adequate." "Good" means that the organization not only meets the minimum compliance requirements but is proactive in identifying and addressing potential vulnerabilities. This also includes continuous monitoring and improvement of compliance processes.

Common Mistakes to Avoid

Companies often make mistakes in DORA compliance. Here are the top 3 mistakes and how to avoid them:

1. Inadequate Risk Assessment: Many organizations do not conduct comprehensive risk assessments and thus overlook potential compliance vulnerabilities. To avoid this, you should conduct regular risk analyses and implement a framework for identifying, assessing, and treating risks.

2. Misinterpretation of Requirements: It is not uncommon for companies to misinterpret the specific requirements of DORA. Instead of relying on their own assessments, they should refer to official documents and financial supervisory authorities like BaFin or BSI.

3. Compliance Checks Only on Paper: Some companies have compliance procedures that they do not implement in practice. To address this, you should foster a genuine culture of compliance that treats it as a priority and not just as compliance checks on paper.

Tools and Approaches

There are several approaches that organizations can use to implement compliance measures. Each method has its own advantages and disadvantages and is effective in different situations.

Manual Approach: This can work for smaller companies or teams of fewer than 20 people. It is cost-effective and does not require significant investments in technology. However, it is time-consuming and often leads to human errors. It is important to document processes and review them regularly to ensure effectiveness.

Spreadsheet/GRC Approach: An improvement over the manual method is the use of spreadsheets and Governance, Risk & Compliance (GRC) tools. These provide a central database for all compliance data and allow for better data management and analysis. However, these tools have their limitations: they can be complicated to use and often do not offer enough functionality to address all aspects of compliance.

Automated Compliance Platforms: For companies seeking a scalable and more efficient compliance solution, automated compliance platforms like Matproof are available. These utilize artificial intelligence to generate policies in German and English and automatically collect evidence from cloud providers. They also offer an endpoint compliance agent for monitoring devices and ensure 100% data residency rights in the EU.

A crucial factor in selecting a compliance platform is adaptability and user-friendliness. A platform should be easy to use and able to quickly adapt to changing compliance requirements. It is also important to pay attention to data protection aspects and ensure that the collected data is processed in accordance with GDPR and other relevant laws.

Honestly, automation helps when it comes to the efficiency and accuracy of compliance work. However, it is not the solution to all problems. Sometimes, it is better to rely on a combination of automated tools and manual processes to ensure a robust compliance strategy.

Conclusion

Compliance with DORA is a complex task that requires careful planning and implementation. It is crucial to understand the specific requirements of the regulation and to implement an appropriate compliance framework. By avoiding common mistakes and utilizing the right tools, organizations can ensure that they not only meet the minimum requirements but are also proactive in identifying and addressing potential vulnerabilities. A well-thought-out compliance strategy is essential to ensure business operations and maintain trustworthiness in the financial services market.

Who Needs to Comply with DORA? Scope and Affected Companies

In the first two parts of this series, we have discussed the Digital Operational Resilience Act (DORA) and its impact on risk management and business processes of companies in the financial sector in detail. In the third and final part of this series, we would like to provide you with a concrete action plan to get started with implementation, answer frequently asked questions, and summarize the key insights.

Getting Started: Your Next Steps

To get started with DORA implementation, it is advisable to follow a 5-step action plan.

1. Understand the Basics: Familiarize yourself with the requirements of DORA. Read the official EU publications on DORA, such as the draft vote of the European Parliament or the relevant BaFin guidelines.

2. Conduct a Risk Analysis: Assess your existing IT systems and business processes for potential risks that need to be addressed by DORA. This includes identifying critical outages and protecting against cyber threats.

3. Build Competence: Create an understanding of DORA's compliance requirements within the organization. Organize training for your employees, especially for compliance and IT teams.

4. Develop a Strategy: Develop a specific compliance strategy for your organization. Consider both technical and organizational measures.

5. Integrate into Practice: Incorporate the requirements of DORA into your daily business processes and monitoring systems. Regularly test to uncover potential vulnerabilities.

Resources you can utilize include the BaFin guidelines and the EU regulation itself. Note that external assistance may be advisable in challenging cases or with limited internal resources. A quick win that you can achieve in the next 24 hours is to conduct an initial risk assessment and create a list of actions that need to be taken immediately.

Frequently Asked Questions

1. Which companies are affected by DORA?
   Companies in the financial sector operating in the European Union are affected by DORA. This also includes subsidiaries and branches outside the EU that offer services to EU citizens.

2. How can my organization quickly identify which DORA requirements are relevant?
   Start with a gap analysis between your current compliance practices and the requirements of DORA. Focus on critical areas such as IT risk management. Use best practices to assess which areas require improvements.

3. Do I need to make all IT systems and processes in my organization DORA compliant?
   Yes, all IT systems and processes that support must comply with DORA requirements. This includes both your internal systems and those of third parties.

4. How can I ensure that my compliance measures are accepted by DORA?
   Ensure that your compliance measures are specific, measurable, and verifiable. Document all steps and results of your compliance activities, and conduct regular audits to verify and confirm the effectiveness of your measures.

5. What resources do I need to successfully implement DORA?
   You need a mix of technical experts familiar with IT risks and security aspects and compliance specialists who know the details of the DORA regulation. This can be sourced internally or externally, depending on your organization's size and complexity.

Key Insights

In this third part of our series on DORA, we discussed how to get started with implementation, what questions you may frequently have, and what key insights you should take away. Here are the main points:

• DORA affects all financial service providers in the EU, including subsidiaries and branches outside the EU.
• A gap analysis between your existing compliance practices and the requirements of DORA is a good starting point.
• All IT systems and processes that support must comply with DORA requirements.
• Documentation and regular audits are crucial to ensure the acceptance of your compliance measures.
• The right combination of internal and external resources is essential for successful DORA implementation.

If you need support in implementing DORA, Matproof can help. Our compliance automation platform is specifically designed for the needs of the EU and the financial sector. Visit https://matproof.com/contact for a free assessment and more information.