Introduction
As a company providing services to financial institutions, compliance with the EU Digital Operational Resilience Act (DORA) is a business priority as well as a regulatory necessity for Circit. All entities that fall within scope of the act are required to comply with it by the 17th of January 2025. Our customers include auditors and financial institutions of all shapes and sizes who rely on us to provide secure, uninterrupted access to verified transactions and related audit data. Therefore, adherence to the DORA Act prior to the deadline is essential for Circit, not only to ensure we meet regulatory standards, but also to reinforce the trust we have built with our clients.
As an Account Information Service Provider (AISP) we found that the process of achieving adhere to DORA presented a few challenges to the business. Directives like this Act are often designed and written with complex, high risk entities in mind. While these robust requirements are essential to ensure financial system stability, they can pose challenges for entities that are unable to dedicate the same level of resources as the largest and most complex businesses. As a result, Circit needed a strategic approach that leveraged our existing governance, frameworks, and certifications while addressing the unique requirements of the Act. Here's how we navigated this journey, the challenges we faced, and how we ensured our approach was both effective and sustainable.
Background
DORA was introduced by the European Union to address risks posed from digitisation in the financial sector. With the rise of cyberattacks, reliance on third-party technology providers, and interconnected financial systems, the potential for ICT-related disruptions to impact financial stability has grown significantly. DORA mandates, therefore, that financial entities implement comprehensive frameworks to safeguard their operations and protect the wider financial ecosystem under 5 pillars - ICT risk management, incident reporting, third-party oversight, information sharing and resilience testing. By creating a harmonised approach to digital resilience, DORA looks to enhance trust, reduce vulnerabilities, and ensure that financial services can continue to run smoothly, even when faced with adverse conditions.
The Challenges
DORA applies broadly across financial entities, encompassing everything from global payment processors to AISPs like Circit. While the Act aims for uniform resilience across the financial ecosystem, it presents distinct challenges to entities that vary in complexity, risk and size. Here is an outline of some key challenges Circit has overcome as a part of becoming DORA-compliant:
Regulation Written for High Risk, Complex Entities: Much of DORA's language, particularly around ICT risk management, operational resilience, and governance, assumes a level of complexity and resource availability that is more applicable to the largest, high-risk entities. On first impression, it could appear that firms not at this scale may lack the infrastructure or personnel to implement certain requirements at the same ratio.
Cost and Resource Constraints: Many requirements—such as third-party risk assessments, resilience testing, and documentation - appear to demand significant investment in time and tools. For organisations smaller than Circit, meeting these requirements without dedicated compliance teams could cause significant resource constraints.
Complexity of Solutions: Resilience requirements, such as stress testing and backup systems, can feel disproportionately burdensome for low-risk entities. The nature of an AISP's work (e.g., providing account aggregation) might not require the same level of resilience planning as a high-risk payment processor.
Our Approach to DORA
At Circit, our approach to achieving compliance with DORA is grounded in using our existing strong foundations already in place from achieving certification in ISO2700:2022 and in SOC2 Type 2. It would be prudent to mention that there are some misconceptions surrounding DORA, it has been suggested that ISO/SOC certifications automatically qualify an organisation for DORA adherence – this is however untrue. At Circit we have taken a structured approach, systematically finding where our operations were out of alignment with DORA requirements. and then plugging those gaps in a way that integrates into our existing frameworks and processes, minimising disruption to operations.
Scoping the Requirements:
The first step involved thoroughly reviewing the full text of DORA to understand its scope and implications. Through this process, we were able to determine specific exemptions, and obligations applicable to Circit as an AISP. It was also through digesting the act we gained a strong understanding of Article 4: The proportionality principle (which outlines how developed solutions to DORA requirements should be applied based on an entity's size, complexity and risk to the financial system)
Crosswalk Mapping:
Using a crosswalk method, we then mapped DORA’s requirements against controls and processes already in place under our SOC2 and ISO 27001 certifications. This step highlighted which areas we were already compliant in and allowed us to streamline our efforts. Moreover, it offered practical insight into the level of proportionality we should apply to areas in which we did not crossover with these certifications.
Comprehensive Gap Analysis:
Following on from the crosswalk, we conducted another sweep of the DORA requirements and developed a gap analysis report that assessed where Circit’s current practices diverged from DORA’s mandates. Each gap was assigned a complexity and impact rating to prioritise remediation efforts effectively, ensuring that high-impact areas were addressed first.
Pillar-Based Findings and Recommendations:
DORA’s five key pillars—ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing—served as a framework for presenting findings. For each pillar, we detailed the identified gaps and made actionable recommendations for improvements. These recommendations could be something as small as a minor policy revision or as complex as the development of entirely new operational procedures or systems-based changes.
Implementation of the Changes:
Remediation steps were implemented following the priority framework set up in the gap analysis. Each change underwent development, implementation, review/revision and eventual sign off. Insight from key subject matter experts from across our organisation ensured that any changes continued to meet Circit’s operational and security standards.
Integration: Monitoring, Governance & Audit
Circit integrates DORA requirements into our existing ways of working wherever possible, rather than having parallel DORA-specific processes. Through this approach we ensure compliance while supporting operational efficiency. This method also fed into the way Circit's ongoing monitoring framework adapts to DORA. We assimilate any new DORA security controls, checks and revisions into our existing governance structure to ensure that the requirements under DORA blend into Circit’s established processes.
To ensure full transparency and audit readiness under the DORA, Circit chose to compile a comprehensive adherence pack holding all relevant evidence and supporting documentation. This pack was organised to map each regulatory requirement to specific evidence (policy, processes, reporting frameworks etc.), demonstrating our compliance across each of DORA’s five key pillars. It includes a cross-referenced table that aligns DORA article references with Circit’s internal operations linked to supporting evidence. By supporting this adherence pack, Circit hopes not only to ensure readiness for external reviews, but also to foster a culture within our organisation that is able to respond proactively to upcoming regulatory challenges, no matter the size or complexity.
Project Highlight: Finding the Solution, the Importance of Proportionality
A cornerstone of Circit’s success in achieving compliance with the Digital Operational Resilience Act (DORA) is our strategic application and understanding of the proportionality principle. This often-overlooked aspect of the regulation enables us to tailor our compliance efforts appropriately without compromising the robustness of our operational resilience.
This is found in Chapter 1, Article 4 of the act which states:
“Financial entities shall implement… [Chapters 2-4 & 5 section 1] proportionate to their size and overall risk profile, and to the nature, scale and complexity of their services, activities and operations,”
Digital Operational Resilience Act, REGULATION (EU) 2022/2554, page 29
The proportionality principle in the DORA act ensures that requirements set out are applied based on an entity's size, and risk to the financial system. This principle allows entities with lower regulatory overheads (including Circit), to adopt scaled-down solutions to achieve compliance with the act. Conversely, larger, high-risk institutions, like major banks or payment processors, must implement more comprehensive measures to tackle the requirements. This differentiation, though easily scanned passed, is central to the development of practical solutions to the requirements under DORA.
Please note: Not all parts of each Chapter have the proportionality principle applied, it is critical to read the act and determine where this does and does not apply.
This immediately presents another challenge; DORA leaves this proportionality of approach up to each business (i.e. open to interpretation). As an org you must analyse what the act asks for and then decide yourself what you will practically implement to be complaint at a proportional level.
There is no black and white guidance around proportionality that states “if you are entity X then apply control Y”. Moreover, it will be up to the different European Supervisory Authorities (ESAs) to interpret this proportionality (and we may therefore see differences on what is acceptable “proportionally” across different EU member states). It is difficult to know exactly what will or will not be acceptable – which is why it is critical that organisations keep a close watch on any audits and findings that happen under DORA in the coming years – in case changes must be made accordingly.
