DORA and the Future of Operational Resilience in Financial Services

The Digital Operational Resilience Act represents the EU's most comprehensive approach yet to technology risk in financial services. With full applicability approaching, this panel examined how institutions and their technology providers are preparing for DORA's stringent requirements.

Implementation challenges loom large. ICT risk governance frameworks require significant restructuring at many firms, while incident reporting obligations demand new processes and systems. Perhaps most complex are the supplier repapering requirements, which force institutions to renegotiate contracts with hundreds of technology vendors to meet DORA's standards.

Speakers compared DORA's prescriptive approach with the UK's developing Critical Third Parties regime, debating whether detailed rules or principles-based flexibility better serves innovation. The conversation revealed genuine uncertainty about which approach will prove more effective as technology evolves.

Emerging risks from artificial intelligence and quantum computing add urgency to operational resilience planning. These technologies introduce vulnerabilities that existing frameworks weren't designed to address, requiring institutions to think beyond current compliance requirements.

The panel stressed that stronger cross-border coordination is essential, particularly as financial services grow increasingly global while regulation remains jurisdictional. Most importantly, speakers emphasised that genuine resilience requires cultural change beyond checkbox compliance - institutions must embed resilience thinking throughout their operations, not just in dedicated risk functions.

Panellists:

• Hinal Pater, Partner, Simmons&Simmons
• Laure Fauchet, Director, UK Government Relations, DTCC
• Michael Jefferson, Head of Financial Services Public Policy UK, MEA and Switzerland, AWS