New European regulations, dubbed the Digital Operational Resilience Act (DORA), aimed at ensuring a more robust financial system are having a profound impact on IT businesses as they strive to meet the stringent standards their clients demand. This regulation, developed in response to the pervasive use of ICT systems within the financial services sector and the systemic vulnerabilities this creates, doesn’t only affect financial firms directly but extends its influence to their IT suppliers as well.
Although DORA is only set to come into effect from January 17, 2025, IT providers are already beginning to implement significant changes. This is a response to their financial services clients who are becoming increasingly demanding of stricter security standards. With this in mind, organisations are being urged not to delay in taking the necessary steps to achieve compliance.
Nikhil Shah, a regulation expert and Director at law firm Fieldfisher, has issued advice to IT suppliers in light of these new regulations. He stated, "Because of the strict obligations imposed on them under DORA, including requirements to conduct robust pre-contract due diligence and to monitor their supply chain much more closely, I expect that firms will become more conservative in their procurement choices." Shah warned that suppliers who fail to bolster their security compliance promptly could be overlooked in favour of organisations that can demonstrate adherence to best practices.
Shah further explained that while adjustments are needed, these changes should not be overly burdensome, “Whilst IT providers need to understand the impact and alter their own systems and processes, much of this will simply be building on existing systems and processes - hopefully! IT providers would be well advised to show a proactive approach.” This approach includes preparing a DORA compliant sales package inclusive of DORA compliant contract terms and making this available well ahead of time.
The regulation expert also emphasised that organisations affected by this new legislation should view it as an opportunity to gain a competitive edge. He said, "The regulations are less than a year away now, and firms will be getting governance in place and reviewing or updating their current contracts imminently. IT providers should be considering their status and conducting a compliance gap analysis. There will be an arms race to see who can propose the necessary terms first – getting your terms on the table first can present a very significant competitive advantage."
DORA represents just one of several upcoming regulatory changes in the cybersecurity arena, a sign of regulators' intention to boost the security of organisations across a multitude of critical industries.