DORA Compliance Deadline Drives Urgent Overhaul of ICT Risk Management

DORA Compliance Deadline Drives Urgent Overhaul of ICT Risk Management** **Key Finding:** The fast-approaching Digital Operational Resilience Act (DORA) deadline of January 2025 is forcing a sweeping overhaul of ICT and third-party risk management across the EU financial sector. Compliance requires significant investment and a fundamental re-architecture of operational resilience, with a sharp focus on the entire technology supply chain, including AI and cloud providers. **Detailed Analysis:** DORA represents a paradigm shift in regulating operational resilience. It mandates a comprehensive framework for managing ICT risks, reporting incidents, conducting resilience testing, and overseeing third-party providers. As the European Supervisory Authorities finalize the detailed technical standards, firms are in an urgent implementation phase. AI systems and the cloud infrastructure they run on are squarely in scope. DORA requires firms to rigorously map, assess, and manage risks associated with their entire ICT supply chain, including AI vendors and hyperscalers. This has created a booming market for RegTech solutions that help manage third-party risk and demonstrate compliance. For financial entities, non-compliance poses a severe risk of regulatory penalties and operational failure. The act is a forcing function for upgrading technology governance to a level that can withstand modern cyber and operational threats. * **Source:** *Digital Operational Resilience Act (DORA)*, European Commission. [https://finance.ec.europa.eu/banking-and-finance/financial-markets/digital-finance-strategy/digital-operational-resilience-act-dora_en] * **Source:** *DORA Countdown: Understanding the Final RTS and ITS*, Deloitte (March 2024). [https://www2.deloitte.com/ie/en/pages/financial-services/articles/dora-countdown.html]