Compliance with the Digital Operational Resilience Act (DORA) represents a real challenge for small businesses in the financial sector. Unlike large institutions with dedicated cybersecurity and risk management departments, SMEs often lack specialized resources. They may not even have formal governance for compliance and risk management, making the integration of these new regulations even more complex.
DORA imposes a strict framework to strengthen operational resilience against cyber threats and incidents. For some companies operating in specific financial sectors, complying with these obligations can seem disproportionate in relation to the size or nature of their actual business.
This article highlights the specific challenges faced by these companies and explores ways of adapting DORA to their reality.
This article highlights the specific challenges faced by these companies and explores ways of adapting DORA to their reality.
Key DORA challenges for SMEs
A lack of human and financial resourcesIn a SME, it's not uncommon for a single IT manager to have to take on several roles : maintain systems and access, manage cybersecurity, and now, implement all DORA requirements. Limited human resources are often accompanied by budget constraints, which can make adapting to new regulatory requirements more complex.
However, it is important to note that DORA adopts a proportionate approach : the measures to be implemented must be adapted to the size, risk profile and nature of the company's activities. SMBs can often comply with essential requirements without necessarily investing in costly infrastructure, by opting for solutions that are adapted to their scale.
The complexity of incident reporting
Although SMEs generally experience fewer incidents than large banks, keeping a register of incidents, even in the absence of major events, is an opportunity rather than a constraint. In fact, this practice ensures enhanced traceability, facilitating early detection of anomalies and enabling rapid response in the event of a problem.
Complying with regulatory requirements is not just about avoiding administrative or criminal penalties: it's also a strategic lever. Rigorous incident management builds trust with customers and partners, demonstrating that the company takes security seriously. It also enhances reputation and reduces the risk of operational disruptions that could impact business continuity.
Rudimentary policies and procedures
SMBs often have IT governance processes that are adapted to their size, but which may require a more structured formalization to meet DORA requirements, while remaining commensurate with their activity. DORA requires more rigorous and documented risk management policies, which means a great deal of work in writing, validating and implementing them.
This process can add to the workload, and requires compliance with formats, templates and versioning processes to ensure efficient management, which can sometimes conflict with existing practices.
The principle of proportionality remains unclear
DORA applies to all financial companies, regardless of size, but does not provide clear guidelines on how to adapt its requirements. Although the principle of proportionality is mentioned in the regulations, its application remains subjective and open to interpretation. SMEs therefore face two risks of poor implementation of the requirements:
Over-implementation: implementation of costly measures unsuited to their structure.
Under-implementation: risk of non-compliance due to lack of interpretation/misinterpretation of obligations.
Managing third-party suppliers
SMEs often rely on external IT providers (cloud hosting, SaaS software, cybersecurity services). DORA calls for appropriate risk management of third-party suppliers, with contractual requirements tailored to the importance of the service provided and its potential impact on the company's business.
While implementing DORA is a challenge, solutions do exist to enable SMEs to adapt to regulatory requirements without unnecessarily burdening their organization. Outsourcing, pooling resources, simplifying processes: these are just some of the avenues to be explored to transform this constraint into an opportunity.
In the remainder of this article, we explore practical approaches to meeting these challenges and ensuring effective compliance without compromising the agility of SMEs.
What are DORA's essential obligations?
As a reminder, DORA is a European regulation which aims to strengthen financial institutions' digital resilience. It imposes strict cybersecurity and risk management requirements on companies in the financial sector.Here's a simplified presentation of DORA's requirements (click on the bubbles to navigate):
IT governance and risk management
Companies must identify and manage their risks related to information technology.
An ICT risk management framework needs to be put in place.
The board of directors must be involved in overseeing digital risks.
IT incident management
Implementation of an IT incident detection and reporting process.
Obligation to report major incidents to regulators without undue delay.
Follow-up and analysis of incidents to prevent recurrence.
Operational resilience testing
Companies must regularly test the robustness of their IT systems.
Simulation exercises (penetration testing, simulated cyber attacks) must be carried out.
These tests and exercises must be carried out by competent in-house or independent third parties (except for micro-businesses).
Third-party supplier management
Monitoring and managing risks related to IT service providers.
Contractual relationships with IT service providers who comply with appropriate security standards.
Anticipation of contractual clauses in the event of non-compliance.
Audit and control of critical suppliers.
Sharing threat information
Encouraging the sharing of information on cyberthreats.
AES reports and industry sectors reports exploit these exchanges.
Working with regulators and other companies to strengthen cybersecurity.
Strategies for effective compliance
Implementing DORA in a small company may seem complex, but solutions exist to overcome the main challenges while optimizing available resources (click on the drop-down menus to see the contents):
- Prioritize essential actions: Set up a progressive compliance plan.
- Pooling resources: Joining groups of companies to sharebest practices and training.
- Outsource complex tasks: Outsource certain obligations such as resilience testing.
- Automate incident data collection Use accessible tools to record events.
- Minimalist but compliant reporting : Adopt a simplified register.
- Staff training : Raising team awareness for incident detection.
- Using standardised templates : Adapt existing models.
- Define clear, pragmatic procedures: Create company-specific guidelines.
- Gradually integrate IT governance : Gradually align internal policies.
- Draw on industry benchmarks: Observe how other SMEs apply DORA.
- Adopt an iterative approach : Start by meeting the minimum requirements.
- Set up a suitable monitoring framework : Establish a supplier evaluation grid.
- Monitor compliance on an ongoing basis: Set up regular monitoring.
Adopting DORA without stress: a gradual path for SMEs
DORA is not just a regulatory constraint : it's an opportunity for SME's to increase their resilience to cyber threats and technological disruptions. Rather than undergoing this transition, they have everything to gain by adopting a more pragmatic and progressive approach, aligned with their resources and priorities.
Are you an SME? Make sure your company is DORA-compliant by following the guidelines set out for SMEs in our DORA for SMEs guide . Need personalized support? Don't hesitate to contact us!
