<img src="https://secure.24-astute.com/796515.png" style="display:none;">

Q&A with Mick Grayson: Navigating DORA Compliance and Strengthening Digital Resilience. PT 2

Jan 17, 2025

Welcome to Part 2 of our two-part series on navigating DORA compliance and strengthening digital resilience. In this installment, Mick Grayson, Manager of GRC at Abacus Group, shares his insights on the future of operational resilience regulations, how firms are aligning with DORA, and the ongoing process of strengthening their ICT risk management practices.

What are your predictions for future regulation in or outside of Europe?

The UK's Financial Conduct Authority (FCA) is taking steps to align its operational resilience requirements with DORA. Although the UK is no longer part of the EU, the interconnected nature of the financial sector will impact UK-regulated businesses in some shape or form.

The FCA has been proactive in updating its operational resilience framework to ensure consistency with international standards. Notably, the FCA has advanced its compliance deadline from March to January 2025, aligning more closely with DORA's implementation timeline. Both the FCA's framework and DORA share common objectives, such as enhancing operational resilience, third-party risk emphasis, and resilience testing.

There is a clear direction of travel in progress by the FCA, who has an active consultation exercise due to close in March 2025 entitled Operational Incident and Third-Party Risk.

Q: How do you feel FCA and DORA regulations compare?

Generally, DORA is more prescriptive, focusing specifically on ICT risk management, while the FCA adopts a broader approach to operational disruptions, allowing for greater flexibility in interpretation. Additionally, under DORA, regulatory bodies directly oversee critical ICT providers, whereas the FCA holds financial institutions accountable for managing their third-party risks. The prescriptive nature of DORA provides the clarity both regulated firms and service providers need to confidently meet compliance, and above all, better protect their businesses.

Q: What timelines have you observed for clients to review and meet DORA compliance? What advice can you give to expedite the process?

Ultimately, this really depends on the maturity of the existing ICT risk management process within the firm. If there is already a process in place to identify, monitor, and manage ICT risk within the environment, the path to compliance may be relatively straightforward and quick. If there is a lack of ICT risk management and documentation, it will take longer to establish practices and embed them within the business.

For most of our clients we have assisted with DORA compliance, it's a case of plugging gaps rather than a complete overhaul of existing practices. As a result, most have achieved compliance in a matter of weeks, not months. However, the nature of DORA requires the firm to continually review and improve the processes within the business.

Q: Beyond being compliant, what immediate benefits is DORA compliance likely to yield for firms aligning?

In addition to fulfilling regulatory requirements, DORA compliance brings tangible benefits for firms looking to enhance their overall resilience. A key advantage is a proactive approach to vulnerability management (VMaaS), which helps firms understand the technical risk landscape and ensures robust and ongoing remediation frameworks are in place.

Compliance also forces firms to review their policies and business continuity plans (BCPs). With the rise of AI innovation, it's essential that these documents reflect the evolving threat landscape. Additionally, having clear business buy-in from leadership is non-negotiable, as DORA requires comprehensive governance to ensure full organizational alignment.

DORA's emphasis on vendor due diligence is another benefit. Over the past few years, we've seen high-profile cases of firms being impacted by issues within their supply chains. DORA ensures that firms place greater emphasis on their outsourced functions or critical service providers, which is a positive step toward reinforcing operational resilience.

Conclusion

This concludes Part 2 of our two-part series on DORA compliance. As Mick Grayson highlights, compliance with DORA is not just about meeting regulatory requirements but also enhancing your firm’s operational resilience for the long term. If you missed Part 1, where we explored the initial steps toward DORA compliance and insights from Mick on the process, be sure to check it out for a deeper understanding of how firms are aligning with the regulation.

At Abacus Group, we are committed to helping our clients navigate the complexities of DORA and ensure they’re not just compliant, but ready to lead in digital resilience.

stock-market-candlestick-graph-map-stock-image

Learn more about how your firm can benefit from our comprehensive IT and cybersecurity services.

Contact Us