Understanding Your Obligations Under DORA as a Compliance Officer

DORA, an additional responsibility for the Compliance Officer?

As described in a previous article titled: “The DORA Regulation (Digital Operational Resilience Act): Everything You Need to Know,” it imposes specific obligations on financial institutions regarding digital operational resilience. This refers to an organization's ability to maintain its critical operations despite disruptions or threats in the digital domain. It is not an end goal to be achieved but a continuous effort for organizations, which must invest time, human resources, and budgets in preventing these risks. The logic is simple: any risk affecting a financial institution or a digital service provider can have systemic consequences on a large scale, even affecting entire states.

To mitigate these risks, financial institutions must now comply with increasingly stringent means-based obligations, in continuity with the accountability logic established by Basel I and II in the event of a systemic crisis. However, these new requirements go beyond the mere financial framework; they also encompass the fields of IT and cybersecurity. The European Union has a clear position: to strengthen the regulation of digital risk management in sectors deemed strategic for the public interest, always with the aim of making the main stakeholders accountable.

What risks are we talking about? ICT (Information and Communication Technology) risks refer to potential threats that can affect the security, confidentiality, integrity, and availability not only of information systems but also of data. These risks include cyberattacks (such as phishing, ransomware), as well as technical failures, human errors, or natural disasters. They can indeed have serious consequences for the organization, such as data loss, significant financial losses due to fraud or ransomware, interruption of operations, and temporary paralysis of activities.

Nevertheless, the novelty of DORA lies less in the supervision of these risks (which is an essential part of the banking profession) than in the extension of these obligations (of means) to a larger part of the organization. Indeed, DORA imposes an integrated approach that engages stakeholders at all levels, including IT departments, human resources, and senior management, to ensure overall operational resilience. Thus, the Compliance Officer must play a central role in educating teams about their collective responsibility in protecting the organization against digital risks, making operational resilience an essential strategic imperative.

What are the main responsibilities and obligations of a Compliance Officer under the DORA regulation?

1. Organization of a system for responding to potential threats. The Compliance Officer's primary responsibility under DORA is the "macro" supervision of non-compliance risks with the regulation. The regulation provides for continuous obligations of management, anticipation, training, and adaptation in the event of major crises related to information systems. Therefore, by extension, they must ensure that their organization has a digital risk management strategy that covers all activities, information systems, and critical suppliers. They must have a system for continuous monitoring of potential threats and vulnerabilities, as well as the development of response plans to mitigate the impacts of these risks. However, the Compliance Officer, by definition, has a plethora of other compliance issues to manage. It seems, therefore, that their scope of action now extends to risks related to information technologies within the framework of the adoption of the DORA and NIS 2 regulations.

2. Supervision of digital resilience tests. In the context of anticipating and participating in ICT risks, it is expected that financial institutions will conduct regular tests simulating crisis scenarios (cyberattacks, system failures, human errors) engaging the entire organization to evaluate the effectiveness of technical measures and human capabilities to prevent, detect, and respond to these same incidents. Thus, as a Compliance Officer, they must collaborate with the various teams and professions concerned to evaluate the current state and sufficiency of these tests in relation to DORA requirements. They must also establish a framework for communication and implementation of these tests, ensure their regular conduct, supervise their progress, and ensure that the results are analyzed to strengthen the company's security. Moreover, these tests serve as evidence to be provided in the event of an incident, demonstrating the prevention efforts deployed.

3. Management of incident reporting. The Compliance Officer occupies a pivotal position within the organization, acting as an essential intermediary between several key actors. They ensure the liaison between senior management, which defines the overall strategy, the Security Manager (or CISO), responsible for cybersecurity, the Risk Manager, who manages organizational risks, the IT Manager (or CIO), in charge of the technological infrastructure, the Data Protection Officer (DPO), who ensures data protection, the Legal Counsel, who provides legal expertise, and the various competent authorities. For example, in France, security incidents—particularly those that impact the continuity of services or result in significant data breaches—must be reported to the competent regulatory authorities such as the Prudential Supervision and Resolution Authority (ACPR) and the Bank of France. In the event of major incidents, financial institutions may also be required to notify the Financial Markets Authority (AMF) or the National Agency for the Security of Information Systems (ANSSI). During a crisis, entities must imperatively follow their internal procedures, provide an adequate response, and manage the crisis in question. The regulation adds an additional obligation for effective communication with the authorities in question. Therefore, as a Compliance Officer, it is crucial to ensure that mechanisms are in place to quickly report these critical incidents. For example, this may require designating persons responsible for alerting in case of a problem, as well as implementing processes to collect, analyze, and transmit information within the prescribed deadlines, generally 24 hours after the detection of the incident.

4. Management of risks related to critical third-party suppliers. The supervision of third-party suppliers is a major issue under the DORA regulation, which particularly emphasizes the management of risks associated with these critical providers, such as those related to the cloud and the management of information systems. The Compliance Officer must therefore be able to evaluate their ability to respond to security incidents, request resilience test reports, and establish effective communication channels with them for the management of potential incidents. To ensure optimal compliance, the regulation provides for the establishment of Service Level Agreements (SLAs) that include specific requirements: immediate reporting of any incident affecting data security or the continuity of operations, guarantees of recovery time (RTO) in the event of a major failure with penalties for non-compliance, as well as annual security audits and participation in resilience tests with the financial institution. Consequently, the Compliance Officer must ensure that these providers comply with the same security standards as the organization, both legally, by developing robust SLAs, and operationally, by conducting regular audits.

5. Continuous training of teams. Article 12 of the DORA regulation emphasizes the importance of training in digital operational resilience for all governance actors within financial organizations. This training must be integrated into the mandatory training plan for staff, including educational content that meets the specific requirements established by DORA. Training programs must address themes such as digital risk management, cybersecurity, and regulatory requirements, and must be updated regularly to reflect legal developments. Moreover, the training must be verifiable, ensuring that employees acquire the necessary skills to maintain operational resilience in the face of digital threats.

Summary: What are the keys to effectively supervising compliance with DORA?

There is no one-size-fits-all solution, as each organization will need to adapt its processes according to its specific needs. However, DORA can be seen as an essential requirement to establish an "ecosystem strategy" integrating continuous monitoring of risks associated with internal and external operations, as well as effective communication before and after crises. It is therefore crucial to be able to identify and continuously monitor critical points of vulnerability within the organization and its supply chain. To anticipate threats, a proactive approach involves developing a risk map, followed by a classification according to their severity and urgency, which allows prioritizing mitigation actions and strengthening the overall resilience of the organization.

The Compliance Officer occupies a key position as an intersectoral coordinator, responsible for organizing and implementing effective communication within the organization. The management of digital risks must be integrated at all operational levels. To achieve this goal, the Compliance Officer must foster collaboration between IT security, operations, and risk management teams. This can be done through regular meetings, training workshops, and incident simulations, ensuring a consistent and proactive approach to digital threats.

Moreover, the ability to manage and select key third-party suppliers in compliance with DORA obligations is paramount. One of the main changes introduced by DORA is the emphasis on the supervision of critical third-party suppliers, who play a key role in the continuity of operations of financial institutions. This also includes the legal framework related to the Service Level Agreement (SLA) under DORA.

It should be recalled that non-compliance with DORA requirements can result in heavy penalties, with fines of up to 10 million euros or 2% of the global annual turnover of the institution concerned. In addition to financial penalties, companies may also face significant reputational risks and corrective measures imposed by regulators, such as the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA).