The Digital Operational Resilience Act, commonly known as Dora, has become a critical piece of the legislation puzzle for financial institutions across Europe.
Following a hugely anticipated and burden-heavy compliance deadline, the regulation officially came into force on January 17 and promises to address critical gaps in EU financial regulation and strengthen the financial sector’s resilience against information and communication technology (ICT) disruptions and cyber threats.
Whilst this is an EU-wide reform, a large majority of financial entities within the UK that offer services within the EU and through third-party EU counterparts, will need to comply.
For many financial institutions, the introduction of Dora is a welcome opportunity to overhaul existing processes and introduce a consistent approach to all aspects of operational resilience.
It explicitly targets ICT risks with clear rules for risk management, incident reporting, operational resilience testing, and oversight of ICT third-party risks.
Though the regulation covers a wide range of financial market participants, including credit institutions, banks, investment firms, insurance companies, and more, the obligation to comply is less clear for independent financial advisers.
Pillars of support for IFAs
Whilst all financial entities within the EU must comply, many UK IFAs are not strictly obligated to do so as their overall risk profile is lower than that of larger institutions, or they may not be doing business with organisations directly in the EU.
While this provides flexibility, IFAs should look to implement a framework such as ISO 27001, as this can play a crucial role in meeting requirements and enabling IFAs to align with the key pillars of Dora.
Organisations that already have ISO 27001 certification, or are implementing its principles, will have a solid foundation in place to meet many of the Dora compliance requirements.
It is likely that future regulations will expand Dora-like requirements to smaller financial firms, including IFAs.
A risk assessment identifying key vulnerabilities in ICT systems and third-party providers is one critical step which should be carried out alongside an assessment of supplier management to establish clear cybersecurity and resilience criteria for ICT service providers.
IFAs should also develop a formal strategy to handle cyber incidents effectively and ensure operational resilience in the event of ICT failures or cyber-attacks.
This should be supported by regular testing with cybersecurity drills and tabletop exercises to assess response capabilities and staff training to ensure employees are well-versed in cybersecurity best practices and fraud prevention.
This alone will improve client and investor confidence in the firm’s ability to withstand cyber threats and demonstrate a proactive commitment to resilience.
Through thorough supplier due diligence, IFAs can ensure that ICT service providers meet robust security and resilience standards.
Compliance convergence
Given the broader trend of tightening regulations on financial resilience and cybersecurity, it is likely that future regulations will expand Dora-like requirements to smaller financial firms, including IFAs.
The FCA has already introduced resilience mandates that align with Dora in its recent policy statement PS21/3 Building operational resilience, outlining new requirements to strengthen operational resilience.
Additionally, the Prudential Regulation Authority‘s supervisory statement SS1/21: Operational resilience: Impact tolerances for important business services, has added a long list of requirements for firms.
IFAs regulated by the FCA and PRA must consider PS21/3 and SS1/21.
Dora provides the most seamless approach to ensuring compliance with these new British requirements, and proactive preparation means firms can implement changes at their own pace, reducing disruption.
Voluntary compliance as competitive advantage
Even without formal regulatory mandates, market expectations are shifting.
Clients, insurers, and partners may well expect UK IFAs to meet industry best practices.
If not, IFAs could face reputational damage and risk losing clients if they are perceived as being unprepared for cyber risks.
Not to mention the threat of legal action if negligence is proven, particularly under GDPR or other data protection laws that run in parallel.
As financial markets grow more interconnected, investors and partners will be assessing their own operational risk, so alignment with Dora could make IFAs more attractive investment opportunities.
Financial services firms that wait until compliance is mandatory may face higher costs and operational disruption trying to meet new requirements under pressure.
For IFAs, acting now and demonstrating adherence to industry-leading resilience standards could gain a competitive edge over those who do the bare minimum.
Meeting the prescriptive requirements with consistent ICT risk management and third-party risk management and maintaining resilience will ensure a consistent provision of services across the entire value chain.
Sam Peters is chief product officer at compliance platform ISMS.online