DORA compliance

What is your first reaction when you learn that there is another Compliance regulation and you have two years to be fully on board? What Compliance is really about for you?

When I asked one of our clients how her company approaches compliance, her initial response was that they have all necessary requirements in place should the regulator checks on them. She works for financial services company and we were talking about ICT compliance. So bearing that in mind, I was expecting her to mention ITC risks and vulnerabilities including those related to outsourcing of certain functions. I was thinking about their ICT related capabilities to address the security of the information systems which supports quality of their services. I asked whether they exchange information intelligence with other financial institutions on ITC incidents and cyber-attacks. These are logical and straightforward issues that companies would be looking into to ensure operational integrity and digital operational resilience.

A colleague said to me recently that it’s a common approach to look at Compliance from a regulatory point of view ensuring that financial entity has minimum required standards. But is looking just at regulatory compliance enough in the current environment of heavy reliance on ICT and outsourcing a lot of ICT functions to third-party service providers? Events of recent past have demonstrated a clear link between the way financial entities conduct their operational resilience and their ability to maintain the confidence of their customers, shareholders and their market.

What about corporate (internal) compliance? Do you have documented ICT internal procedures and practices? Do you have clearly defined responsibilities and protocols for ICT related incidents? Are there enough resources to meet the testing, maintenance, upgrades, emergency procedures, recovery etc. Does the company have sufficient capabilities / receives on-going training for the staff working on compliance issues? I can go on with these question for a bit longer.

My point is that the purpose of Compliance is to adhere to both internal policies and procedures (corporate side), along with governmental laws (regulatory side). Maintaining up to date compliance practices helps your company mitigate risks like security breaches and data losses, as well as avoid disciplinary action that could lead to license revocations, damaged reputations, lost customers, and financial penalties and losses. Comprehensive compliance procedures continuously implemented and monitored will protect your company's reputational risk and improve your vision and value as well as prevent and detect violations of rules. In order to ensure your compliance program is successful on all levels, it must include three important pillars: People - Policies - Technical Enforcement. Common definition of Compliance is “Observance of external (international and national) laws and regulations, and internal norms and procedures, to protect the integrity of the organization, its management and employees with the aim of preventing and controlling risks and the possible damage resulting from compliance and integrity risks”.

Still confused? You can reach out to our team and we will train and guide you at our workshops in best practices on both ITC regulatory and corporate compliance to be fully on board with DORA requirements from January 2025.