The OJEU has already published Regulation 2022/2554 on digital operational resilience in the financial sector, better known by its acronym in English: DORA. Its effective date of entry into force is January 2025, but entities are already working to meet its requirements. You can read about the main new developments here.
Miguel Sánchez Monjo, partner at Cuatrecasas, believes that the DORA Regulation also brings with it "a cultural change in institutions". And not just in terms of how they deal with cybersecurity, but also with business continuity itself: "It means adopting new procedures for cybersecurity and IT risk management, which requires embedding within the company a greater culture of how these risks are managed, how certain sensitive customer information is handled, who has access to it, etc.", he explained during the last FundsPeople Legal Debate.
In his view, the biggest impact may be on smaller fund managers. "Mainly alternative investment fund managers who, in some cases, have smaller structures, with simpler systems and procedures, which means that DORA may be a challenge for them. Moreover, they do not fall under the simplified systems that have been provided for small investment services companies or simplified payment entities, and only certain exemptions for micro-enterprises are envisaged", he points out.
"Large entities, in particular banks, should not encounter difficulties in implementing DORA, as they have already completed much of the groundwork", says Alfredo Oñoro, Director of Regulatory Compliance at Cecabank. In fact, Oñoro points out that they "already have robust cybersecurity procedures and tools in place because of the risks to which they are exposed. But small entities are likely to encounter difficulties if they are not guided and assisted throughout the process".
A transversal exercise
The regulation provides for a two-year period for compliance. However, according to Bárbara González, counsel at Linklaters, "it is an exercise in which, moreover, all areas have to participate: management, risk and compliance have to work hand in hand. And they must start now because the time frame is going to be too short", she advises.
Elisa Ricón, CEO of Inverco, says that last year Inverco launched a project with asset managers and pension fund managers to assess where each entity stands in terms of compliance with DORA. The objective is to map by category what level each category is at and provide guidelines to facilitate compliance. The results will be released shortly.
Ricón alludes to a dual concern: "We must strike a balance between maintaining the security of the financial system, something that concerns everyone, and allowing entities of all sizes to continue to do their work," she clarifies.