Dan Golding: The finish line is finally in sight. The January 17th DORA compliance deadline is weeks away. And for many financial entities operating in the EU, the past year has been a sprint to fully understand and implement the regulatory requirements. It's been hard work and it's not over yet. We've said it before, and we'll say it again that DORA is more than just a regulatory tick-box exercise. It's a chance to continuously improve how you manage digital risk.
Today I'm joined by my colleague Salina Ladha, Partner and expert in Risk and Regulatory Compliance, to take stock of where we are, spotlight where we've seen firms go above and beyond and share our views on what's next.
So, Salina, what are you hearing from the industry? Is compliance a certainty?
Salina Ladha: Firms have very much been focusing on prioritising the key activities and ensuring proportionate compliance. They’ll have ticked off the big-ticket items.
So, identifying their important and critical functions, identifying their ICT assets, the third parties that support them. But there will still be work to do post the 17th January. The focus for firms really is on being able to demonstrate that they're complying with the spirit of the regulation.
What does best in class DORA implementation mean for you?
Dan Golding: It's not about ticking regulatory boxes. It's about recognising that this is an opportunity to fundamentally transform the way in which the organisation manages ICT risk.
Most firms have spent a lot of time, energy and money over the last ten years building capabilities around security, privacy, resilience, architecture and most of these functions and teams have developed largely in isolation, and they have to recognise that a lot of the risks crosscut those teams and functions. So, there is a need for firms to build more cross-functional collaboration and ways of working and operating models to support it.
So, Salina, you tell me what's next for DORA? Can firms just breathe a sigh of relief? Or is there more to do?
Salina Ladha: There's definitely more to do. And I think those activities fall into three main buckets.
I think firstly, there's the implementation of some of the longer data DORA requirements. And so the big example here being threat-led penetration testing firms need to make sure that they're undertaking that every three years. So, there'll be more work to do there.
Secondly, there's enhancing the scope of existing remediation work. What do I mean by that? Firms are focused on prioritising testing of critical assets, on remediating high-priority contracts. So, they need to expand the scope of those activities.
And then thirdly, embedding. So, where firms have updated policies and procedures, they actually need to make sure that they work in practice and actually test them. So, for example, if you've updated your incident management plans and processes, do they work in practice? Exercising here is key.
What do you think are the big headlines for digital, risk and regulation in 2025?
Dan Golding: Well, firms are still continuing to invest heavily in digital, data and technology capabilities. And the risk profile of these organisations is changing at a dramatic pace. So, the need to keep their foot on the gas and continue to invest in building capabilities around managing risk and compliance is going to be absolutely essential as we get into 2025. And just thinking about it from a regulatory perspective, there's been a number of big pieces of regulation and regulatory change over the last couple of years, and they're still bedding down. So again, firms are going to have to continue to live and breathe these regulatory requirements to make sure that they're part of the operating fabric of the business.
But there are also some new regulations as well. So obviously we've got the EU AI Act, which is coming into force early next year, and then a series of additional enforcements over the next 12 to 18 months. We've got expansions of GDPR, which are going to include new definitions for new technologies such as AI. And from a security perspective, there's a couple of big pieces of regulation in the pipe, one in the UK around cyber security and the other one in Europe around security and resilience, which are going to be really impactful for quite a lot of firms.
So, Salina, any final words of wisdom?
Salina Ladha: So, I think firstly, focus on the spirit of the regulation. As you said, it's not a tick-box exercise.
Don't operate in silos. We've had lots of firms uplifting the way they think about managing their ICT third-party providers. But you don't want to have a separate regime for ICT third-party providers and your non-ICT providers. So, think about how you can have a holistic way of looking at that.
And then finally focus on the horizon. I know that you mentioned some of those big ticket regs that are coming down the pipe, but you've also got some smaller items as well. So, the Financial Stability Board (FSB) and Prudential Regulation Authority (PRA) incident reporting consultations and those will impact what firms are doing around incident management.
And they may need to revisit what they've put in place to comply with DORA.
Dan Golding: Thank you, Salina. If you'd like to chat about your DORA compliance and how to stay ahead of the next wave of digital risk and regulation, please don't hesitate to get in touch.
