DORA has arrived; how will it impact channel partners?
The EU regulation comes into effect today for IT providers and financial services
Today is the day for IT providers working with financial services companies to comply with the Digital Operational Resilience Act (DORA).
DORA is an EU regulation that establishes a mandatory information and communication technology risk management framework for the EU financial sector.
The framework takes effect today and marks a shift in how financial services firms and their suppliers manage IT risk.
But what does it mean for channel partners who deliver IT services to the financial sector?
CRN canvassed Advania, Trustmarque, Performanta and Orange Cyberdefense to find out.
Richard Lindsay, principal advisory consultant at Orange Cyberdefense
“Frankly, the regulatory landscape in the EU is heavily congested right now, with several overlapping standards and laws, with more in the pipeline.
“Remember, only three months ago, another significant EU regulation, the Network and Information Systems Directive 2 (NIS2), took effect.
“This persistent need to address broader compliance demands with similar requirements might explain why nine in ten UK financial services CISOs felt optimistic about their organisation’s preparedness ahead of the DORA deadline.
“In reality, however, a little less than half (43 per cent) of respondents will miss that deadline, with 20 per cent expecting to do so by at least three months, according to our latest survey.
“With so much to navigate, it was almost inevitable that many firms would struggle with meeting initial compliance deadlines. However, at the very least, CISOs recognise that, despite the initial headaches, DORA will significantly enhance digital resilience across the EU business ecosystem.
“All in all, DORA doesn’t mandate anything by way of revolutionary requirements. Most can be addressed by investing in comprehensive cyber risk assessments, integrated incident reporting, cyber resilience testing and cross-framework governance.
“However, amid the tangle of new regulations, it’s understandable that many firms are taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible.”
Geoff Kneen, CEO, Advania UK
How will DORA impact your business?
“We operate as a group to work overall from a compliance perspective.
“If you look at things like GDPR or ESG, we work as a group on those things.
“One of the things we try to do as Advania is, even though the UK is the UK, we try to operate at the higher level of practice.
“I think there’s a bigger gap between Europe and the UK sound ESG at the moment.
“But around business resilience I don’t think the gap is significant.
“We’ve got other things that we hold ourselves accountable to as well. For example, there's things like SOC 2 in the financial services area, that we hold ourselves to those standards.
“So our compliance with DORA isn’t a huge investment that we have to make to make sure we’re compliant because a lot of it will already be in place.”
Does DORA present your business and other IT services providers with some added opportunities despite it being thought of as a regulation headache?
“I think things like this are totally appropriate.
“There was an evolution last year in the UK, where datacentres became part of critical national infrastructure.
“So they're therefore managed at the same level as airports and transport hubs and those types of things.
“My objective reflection is that our industry should be held to account for providing services with that level of integrity.
“I think DORA is another example of different regulatory bodies or governments holding our industry account to higher standards. And I’m supportive of that.
“If you look at the growth of providers in tech services over the last ten to 15 years, it's been huge.
“If you look at the level of GDP in the various countries we're now supporting, then we should be held to high standards, because it's a really important role that we're playing in the economy of the countries that we serve.”
Guy Golan, CEO, Performanta
How will DORA impact your business?
“DORA could have impacted our business as we provide services to financial institutions. Thankfully Performanta has complied with the requirements as those are not too different to historical requirements. Where we feel very strong is our fully transparent relationship with our clients, including financial services industries (FSIs).
“Companies will need to understand what their services are to FSI's and how those services can influence their relationship with their clients. As an example: if one provides professional services and doesn't store any of the clients' data, there shouldn't be much impact. If a supplier provides managed services, by default they have access and may store some of the clients' data. That requires a deeper understanding and a better view.
“Let's not forget one thing. Like all regulations there is a period of adjustment, even if those are supposed to be imposed this week. Therefore, it is not too late and suppliers together with clients are going to figure out more about the fine details of DORA in the months to come.”
Does DORA present your business and other IT services providers with some added opportunities despite it being thought of as a regulation headache?
“Yes it does.
“As a service provider there are a myriad of opportunities in consulting.
“As an MSSP and XDR provider the additional resilience part is great for us as it has been inherent in what we do. Performanta not only detects and responds but also enhances the level of resilience on a continuous basis.
“I do see DORA featuring as part of CTEM (continuous threat exposure management) as increasing resilience across the supply chain is one of the fundamental elements in CTEM.”
Chris Jones, head of public sector, Trustmarque
How will DORA impact your business?
“We do need to be very aware of anything happening in the EU, because they are our trading partners.
“I suspect it will have an influence, because we work together very closely, but the same way that other major regions’ AI strategy, like America or China, would have an influence.
“We definitely need to be aware of it because we need to stay on top of how each geography across the world is approaching AI.”
Does DORA present your business and other IT services providers with some added opportunities despite it being thought of as a regulation headache?
“I think regulation around AI is a positive thing.
“It'll give people the confidence to commit to programmes to deliver AI, knowing it's got these regulation guardrails in place, and knowing there's an agreed approach to the regulation of it.
“In our view, the regulation and guardrails around AI are critical to ensure not only its success, but also to give it the foundations for it to grow across both the public and private sector.”