The two-year window for DORA readiness is almost up.
With January 17th just around the corner, the clock is ticking for financial services firms to align with the significant new regulations within Europe’s Digital Operational Resilience Act (DORA). Whether you're counting in days or weeks or celebrating the season, the enforcement date will be here before we know it.
Let's be clear—there won't be a "big bang" on January 17th. But don't mistake the absence of immediate fireworks for leniency. The Competent Authorities (Regulators) will soon begin exercising their powers, and there are plenty of moving parts to keep in focus: from incident reporting to threat-led penetration testing and operational resilience risk management to ICT third-party oversight. All of these areas have new rules; no one will want to be the first to have an issue, but everyone will want to benefit from the one that does. It's a surefire way to get the budget to put more stringent defences in place.
The Three Cs: Then and Now
If you've followed my earlier blogs and podcasts, you'll know I often discuss the "Three Cs" of Regulatory Compliance:
- Complain – They want us to do what? For what reason? What's wrong with today?
- Comply – Let's tick the box to make sure we are compliant, do the minimum to comply with the regulation, and consider it a necessary evil.
- Compete – Let's get a bigger budget and use the timing to deliver something more beneficial. Sure, we'll comply; let's go for it.
Now, you will notice I always have a 4th 'C', Contravene—a choice that's thankfully rare, especially given the size of the fines.
Even with the deadline looming, I've seen some firms treating DORA as a 2025 or even 2026 project. Others are focused purely on meeting the letter of the regulation, neglecting its broader spirit of more robust Digital Operational Resilience for the industry.
That's why I've updated my framework for the "post-incident era":
- Concern – What just happened? Could that happen here?
- Counter-Measures – Conduct analysis, initiate projects, and document actions to demonstrate management awareness.
- Comply – Assign the budget and get it done.
And yes, there's still room for contravene, but now I would add complacency, competence, carelessness, complicit conduct, and perhaps even criminal.
Why DORA Matters (Hint: It's Not Optional)
In my conversations with financial services (FS) firms and with ICT service providers to FS firms, it does surprise me that some are still in the dark about the five pillars of DORA and what to expect, thinking this is some woolly aspiration or optional guidance rather than a significant piece of financial services regulation, with teeth.
If you've missed my earlier blogs, including this one, I covered these fundamentals in more detail:
[green]
Excerpt: In the past, the operational risk rules often favoured a traditional quantitative approach to addressing risk (namely, setting a capital requirement to cover ICT risk) rather than targeted qualitative rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents, or for reporting and digital testing capabilities.
[/green]
As an industry, we have likened this to the GDPR of Financial Services. This statement usually gets some interest, but when you say with penalties more significant than SOX, then you get more interest. There is something about SOX that carries a stick that other regulations lack.
Whether you see January 17th as "the end of the beginning" or "the beginning of the end," one thing is clear: Enforcement means we are entering a new phase.
The Shared Responsibility Model: A Critical Piece of the Puzzle
Most financial services firms excel at risk management; after all, it's a business fundamental. But when it comes to ICT third parties, there's still work to be done.
The area that still concerns me is the thought that Cloud Service Providers and, more specifically, Enterprise SaaS solution providers have DORA all buttoned up. Absolutely, the Critical ICT Third Party Service Providers are (predominantly) taking this very seriously. And sure, from a significant disaster perspective, most are outstanding at providing service without interruption or data loss.
However, the areas that need continuous oversight and action are data, data classification, data security, and data integrity. What happens if end-user action, software release, admin error, or malicious conduct changes the data in the system, sometimes as an obvious event, other times on a subtle ongoing basis?
Now, the SRM (Shared Responsibility Model) has become more than an acronym; it is something you must spend more time thinking about before it bites. SRM is how your ICT provider hands the responsibility for your data quality, integrity, and protection over to you. If you need them to help with recovery, it's typically all or nothing. It is essential to have another way; this is not just in case this causes an incident that will need reporting under the new DORA rules, but it's essential in Operational Risk Management.
How Own from Salesforce Can Support You
At Own (now a Salesforce company), we specialise in SaaS data protection and data management for Salesforce, ServiceNow, and Microsoft Dynamics. Whether these are "critical" or "important" platforms for your organisation, the challenge is the same: protecting your data.
Think of SRM as an apartment building. Your ICT provider ensures the building is secure and has access to essential services, but what happens inside your apartment—your data—is your responsibility. If something goes wrong, you need tools that work like a skilled surgeon's scalpel, enabling you to analyse and remediate data corruption with confidence and precision.
Our Recover product offers precisely that. Whether rolling back or forward, it's a data lifesaver. And just as importantly, our DR3™ process helps you prepare, practice, refine (then practice again) and certify your disaster recovery skills so you're ready to act with confidence when the inevitable happens. We don't pretend to have all the answers—beware of vendors who claim they do. But we can help you secure, govern, and protect your critical SaaS data.
What's Next?
January 17th is just the start. Whether your goal is to comply or compete, DORA requires proactive effort, clear accountability, and the right tools and processes.
Let's continue the conversation. Direct message me, call me or visit our website to find out more and book a demo. Together, we can help you protect and manage your SaaS data in time for DORA and beyond.
