The delay in the implementation of Regulatory Technical Standards (RTS) is causing concerns among experts in the financial and IT industries. According to Giancarlo Butti, an auditor and privacy/security expert, the incomplete regulatory process has left financial entities in a difficult position. While some delegated regulations have been released, others are still pending, leading to uncertainty and additional work for organizations. For example, financial entities redefining contracts with suppliers may need to later amend them to incorporate requirements related to managing relationships with subcontractors.
It is crucial for financial entities to carefully assess the risk associated with their entire supply chain, as the impact of the Digital Operational Resilience Act (DORA) extends beyond just financial institutions to the entire ICT supply chain. The complexity of DORA lies not only in the text itself but also in the practical steps required for compliance.
Davide Baldini, a lawyer and partner at ICT Legal Consulting, highlights the clarity of DORA as a regulation that applies uniformly across all EU countries and provides detailed provisions. In comparison, the NIS2 directive allows more flexibility for member countries in its implementation. DORA’s prescriptive nature makes compliance challenging in terms of time, human resources, and financial investments needed.
The uncertainty surrounding the arrival of all delegated regulations adds to the challenges faced by organizations aiming to comply with DORA. The need to align existing contracts and procedures with the forthcoming regulations increases the workload for financial entities and their partners in the supply chain. This delay not only impacts the financial sector but also has indirect consequences for the broader ICT industry.
As organizations navigate the complexities of DORA and await the full set of regulations, they must allocate resources effectively to ensure timely and comprehensive compliance. The evolving regulatory landscape highlights the importance of proactive risk management and collaboration across the supply chain to enhance overall operational resilience. The impact of DORA goes beyond mere regulatory compliance and underscores the need for a holistic approach to cybersecurity and data protection in the financial and ICT sectors.