DORA: The Role of the Compliance Function
Digital development brings both opportunities and risks, especially in the financial sector where reliance on technology and third-party providers are increasing. To strengthen resilience in the EU, DORA (Digital Operational Resilience Act) has been introduced, which imposes requirements on risk management, incident reporting, testing, and control and oversight of third-party suppliers.
Ensuring Long-Term DORA Compliance
To ensure long-term compliance with DORA compliance functions should focus on supporting the business regarding the integration of the regulations into the operational processes. Many companies have worked with focused implementation projects and developed new and/or changed processes and routines that will now begin to be complied with in practice. With changed working methods, new challenges arise where adjustments will need to be made continuously during the year, and it is important that compliance is not just about documentation and reporting.
The Role of the Compliance Function in Third-Party Management
One area where we see compliance functions play an important role is in the management of the ICT third-party providers. Third-party risks and the management of assignment agreements are a compliance risk that many compliance functions focus on in general, but which are receiving an increased focus under DORA.
DORA includes, inter alia, provisions on the management of risks associated with companies’ use of ICT services provided by a third-party provider, including requirements for the conclusion of such contracts, including contractual provisions, as well as the follow-up of such contractual relationships.
In addition, there is also a requirement that the companies under DORA must have a policy that regulates the handling of critical ICT third-party providers. These requirements are already familiar to many companies based on other rules regarding outsourcing. We believe the compliance function can support the management of third-party risks under DORA, building on experience from outsourcing from other regulations. There may also be some synergy effects in the work by implementing the requirements from DORA in the processes and procedures that have already been established.
Creating a Solid Base for DORA Implementation
In summary, the compliance function has an important role in, through advice and support, ensuring regulatory compliance and the overall purpose of strengthening digital operational resilience, while keeping the work efficient and not unnecessarily burdensome. The compliance function needs to work closely with the business to support the implementation of DORA in its daily work and ensure that the measures taken are functional, realistic and adapted to the organisation’s actual risk exposure. By working closely with the business, identifying risks and creating a structure for continuous adaptation, a solid foundation can be laid before more extensive controls are introduced. Daring to work risk-based is a prerequisite for ensuring good regulatory compliance, but above all for managing digital risks and any interruptions in operations related to interruptions in ICT services.
Our Recommendations
Our advice for compliance functions are as follows:
- Focus on an overall understanding of DORA (for the business and compliance function).
- Assess the progress of the conducted implementation project. What has been achieved, what remains, and what compliance risks are still present?
- Define the right level of ambition by understanding where the company stands today and the plan going forward. Work risk-based and focus on the parts where the compliance risk is greatest.
- Do not fall “into the trap” of reviewing processes and procedures based on the detailed requirements of DORA. This will likely require close collaboration between the compliance function and the business.
In Conclusion
In conclusion, it can be stated that it is important to ensure that DORA is integrated into the organisation’s operations and does not become an isolated compliance issue. To succeed, a close and structured collaboration between the control functions and the business is required. By linking compliance to business benefits and ensuring that each requirement in DORA contributes to stronger operational and digital resilience, the regulatory framework becomes a tool for long-term resilience rather than an administrative burden.
Navigate DORA effectively, learn more on our designated DORA page.
