TALKING

Moving forward , all enterprises have to consider their third-party providers ’ security , as well as where their customer data is stored and to what extent they can audit the services of the provider .

Compliance 101 – review , assess , react

Now that the deadline has passed , organisations need to remain vigilant for the year ahead . As a first step , financial institutions must ensure that they understand the regulations and how it applies to them and their partners , particularly as they agree to new partnerships in the future . It is important that organisations review their processes to ensure they are compliant . This is best done by conducting a gap analysis of existing contracts and assessing ICT third-party risks on a regular basis .

A gap analysis is a strategic planning method that involves comparing an organisation ’ s current performance to its desired performance . In the case of DORA , a gap analysis would be used to identify and address gaps in company ’ s current ICT policies .

Assessing third-party risk will also be key . This is particularly true in the wake of the CrowdStrike outage in July 2024 , which disabled an estimated 8.5 million Microsoft devices and affected businesses around the world . Regulatory bodies will be extra cautious and monitoring organisations to ensure this kind of event never happens again .

Moving forward , all enterprises have to consider their third-party providers ’ security , as well as where their customer data is stored and to what extent they can audit the services of the provider . Most importantly , financial institutions need to hold their vendors accountable .

The more prepared firms would have implemented a centralised contract lifecycle management ( CLM ) system to automate vendor risk assessments and contractual agreements to ensure that they met the new standards . Others may still have gaps in their thirdparty risk oversight and any new contracts will pose further compliance issues .

CLM and contract intelligence software enable organisations to extract commercial terms from a contract and transform them into verified data . As this can be done in bulk , it allows for a much more efficient process when it comes to identifying risks . Artificial Intelligence ( AI ) can also be utilised to identify any potential risks and suggest alternative language to mitigate these risks .

2025 : Navigating the regulatory landscape

Now that DORA has been fully implemented , the most important thing for financial organisations is to ensure that they understand the regulations fully and keep on top of their contracts , existing and new , including with partners and third parties in order to prevent falling foul of compliance . DORA is not a one-time effort and in the post-DORA landscape , organisations will need to be agile and prepared for any potential changes in future legislation . Operational resilience is now a strategic imperative .

The best way to approach this for a business is to review their data and systems , establish and invest in the right technologies to ensure that they are in the best position to adapt to regulatory updates or changes and navigate the ever-changing business landscape . p

36 INTELLIGENTCIO EUROPE www . intelligentcio . com