Finding DORA: How financial institutions must develop digital operational resilience

Fabio Colombo from Accenture explains the future of ICT risk management for financial services providers

February 21, 2024

DORA, the Digital Operational Resilience Act, is the new European regulation created to ensure financial services providers across Europe develop and maintain a robust defence against ever-changing threats to their IT capabilities. Our recent report, Decoding DORA, explored this new regulatory framework and its implications for the financial services industry and beyond – in this video we invited the report’s author, Fabio Colombo, to dive deeper into what it means to comply with the principle-based regulation in time for its January 2025 deadline.

Watch more videos from this interview: What the Digital Operational Resilience Act means for third party ICT providers, and What the Digital Operational Resilience Act means for board members and CEOs

World Finance: Fabio, earlier this week we published an article you wrote exploring DORA, and I want to dive deeper into a few of the topics you discussed there, starting with the fact that this regulation is fundamentally different from those that came before.

Fabio Colombo: Yeah, the idea is that the regulation is a principle based regulation. So it’s not setting any specific technical requirements, but it sets the principles that you need to follow. So if you think how fast is evolving technology with GenAI, or post-quantum cryptography, these are topics that you need to manage in your risk universe and your risk framework.

So you need to stay at pace with what’s happening – you cannot rely on a standardised list of threats. Threats need to be evaluated each year, each quarter, to be sure that you’re managing correctly your perimeter.

So you need to have a good framework to manage the risks, that starts by identifying the threats, analysing these threats, analysing what countermeasures you have, defining the risk appetite framework that you need to use, and the level that you want to achieve.

And you need to follow this in a circle. In this way you can stay at pace with the new threats and new technologies, by having a good lifecycle of your risk management.

World Finance: Now obviously financial institutions aren’t new to managing technology risks, but this does change the framework, it changes the model for them to do that.

Fabio Colombo: Yeah, financial services providers, they have already a set of regulations that set a good starting point. But DORA aims to bring this as a full exercise that you need to put in place every year, every quarter, to stay in line with what’s happening.

Financial institutions are one of the most critical infrastructures, so DORA sits in the wide NIS2 directive, and sets the requirement for financial institutions. By doing that, this will enable a faster and safe digitalisation of the entire financial area. Without letting the threats coming from geopolitical tension, increased level of cyber activists, increased level of cyber threats, without having this impacting our financial institutions.

World Finance: Now, more of the detail on DORA is still being published – first of all, can you tell me about these publications: who are they for, what can you learn from them? And second, isn’t this putting a lot of time pressure on? The deadline for compliance is January 2025.

Fabio Colombo: Yeah, deadline now is one year from now, so, really close. If you think about the budget to put in place anything, you have only one budget cycle.

RTS and ITS are definitions that came more in detail on what you need to do. The first batch has been published some months ago, the second one has been published in December, in consultation. So my suggestion is please take a look a very detailed look at the RTS.

When we analyse the RTS compared to the DORA regulation, I think that the RTS set the a good ambition in terms of how you need to raise your posture and your maturity.