DORA: A marathon that starts with a sprint

NAVIGATING COMPLEXITY: Weekly Tutorial 10th January 2025 - Digital COE Operational Resilience

ARTICLE 64: "It shall apply from 17th January 2025"

As we approach a key milestone, it is important to keep in mind that DORA deals with 4 areas of complexity. It asks Financial Entities to fix a generation of Technical Debt in a two year timeframe.

DORA2025 will focus on one area of complexity, the contractual arrangements with third parties. It is important to remember that the next milestone, submitting your Register of Information is one significant part of what DORA requires a Financial Entity to do to comply with the third party contractual arrangements.

DORA requires you to connect an operating model for a financial business to its technology stack, to identify all of the moving parts and explain how everything works. It is an enterprise wide and global challenge that requires operational precision supported by an advanced analytical skills.

The 4 areas of complexity that you will need to work on to effectively implement DORA are:

• Regulatory Requirements. There are 13 legal texts that need to be interpreted and applied to each Financial Entity, 6 of which are yet to finalized (Just a few days to go!). There are 2,953 lines in the 7 legal texts that have been published in the Official Journal. Everyone is struggling with the size of the challenge, not just Financial Entities.

• Operating Model. "It starts with requirements". This is a significant problem for all businesses and the root cause that has resulted in the need for DORA. As a result of agile, most businesses have lost the discipline associated with managing requirements to ensure that a system is fit for purpose. Building an Operating Model is the starting point for DORA, it is a pre-requisite for the 3 other areas. The the identification of Business Functions is the starting point of Article 8. The function ID is one of the four keys in the Register of Information (See Recital 8 of the ITS Register of Information EU 2024/2956).

• Technology Stack. Identifying and explaining all of the moving parts in a Technology Stack has been the holy grail of IT Architecture for decades. It is really difficult to do at an enterprise level as it requires the identification of interdependencies at a system object level. It can not be de-scoped.

• Contractual Arrangements. By the end of 2025, every Financial Entity will have put in place the data required to better manage the risks associated with external dependencies. Many of the questions DORA asks you to answer to complete the Register of Information are basic. It will restore a level of discipline.

In 2025, we will continue to focus on the full requirements of DORA in the knowledge that most of you will be busy with the Register of Information. Each week, we will continue to listen to your questions and try to help everyone make sense of what is required.