Brokers Lag on DORA Compliance
One year after the EU's Digital Operational Resilience Act (DORA) was implemented, most brokers and trading platforms are still playing catch-up on full compliance. The gap highlights the challenge of operationalizing resilience metrics, creating an opportunity for engineering leaders who can bridge the gap between compliance and platform capabilities.
The Digital Operational Resilience Act (DORA), which became fully applicable on January 17, 2025, establishes a unified framework for managing technology risks across the EU's financial sector. It mandates stringent requirements for ICT risk management, incident reporting, resilience testing, and perhaps most critically, the oversight of third-party technology providers. The regulation's reach extends beyond traditional financial institutions to cover around 20 different types of entities, including investment firms and crypto-asset service providers. This broad scope acknowledges the deeply interconnected nature of the financial system and its increasing reliance on technology. Non-compliance carries significant weight, with potential fines of up to 2% of a firm's total annual worldwide turnover. A primary challenge for many firms is the required scrutiny of their ICT supply chain. DORA demands that financial entities maintain a detailed register of all their third-party ICT providers and ensure that contracts contain specific clauses covering security, audit rights, and data access. This places the primary compliance responsibility on the financial institution, even when the risk originates from an external vendor. To meet DORA's demands, engineering leaders are tasked with creating and documenting a comprehensive ICT risk management framework that is reviewed at least annually. This involves not just identifying and mitigating risks but also conducting regular, advanced resilience testing, such as threat-led penetration testing, to proactively validate defenses. The incident reporting requirements under DORA are notably strict, with initial notifications for major incidents required within hours of detection. This necessitates highly efficient incident response workflows and clear, standardized documentation to meet tight regulatory timelines. Looking ahead, the adoption of AI and automation is becoming a key strategy for maintaining continuous compliance. AI-powered tools can assist in real-time threat detection, automate risk assessments, and streamline the review of vendor contracts to ensure they align with DORA's evolving requirements.
