With the Digital Operational Resilience Act (DORA) set to come into force next week, there are, predictably, a number of firms who are yet to be prepared or in line with the new regulation.
“As with most major regulatory implementation deadlines, we all seem to be fumbling towards the finish line. DORA introduces very specific and prescriptive requirements and has lots of moving pieces, but we have seen two key compliance challenges,” said Nathaniel Lalone, Financial Markets and Funds partner at Katten Muchin Rosenman UK LLP (Katten), in emailed commentary.
First, in terms of updating contracts, there is a “battle of the forms” between financial entities, who want all their services providers to use their standard form of agreement, and service providers, who want all their financial entities to use their own standard form of agreement. The question is: who has the stronger negotiating power and who blinks first?
Second, the compliance burden ratchets up for service providers supporting “critical or important” functions, and there’s some push-and-pull between financial entities and their service providers over the proper criteria and process to use when making that decision. This leaves open the risk that some providers of a given service are designated by their financial entities as supporting “critical or important” functions and subject to heightened obligations, whereas providers of a nearly identical service are not.
“That seems inequitable and it’s not clear how to solve for those discrepancies with the rules as they currently stand. Alongside these challenges, the ongoing DORA obligations remain with firms grappling to integrate compliance with existing requirements and internal systems, while managing resourcing constraints,” Lalone noted.