The effort required to implement new or amended legislation is very high nowadays, and increasingly poses a challenge to companies. A recent example of this is the Digital Operational Resilience Act (DORA) and, in particular, the register of information that financial companies in Austria must submit to the FMA by April 11, 2025.
What is the status of compliance with the EU regulation and how far along are firms in creating the register of information? What impact does the increase in regulatory requirements in the financial sector have on the competitiveness of European companies? What positive effects can be achieved through digitalization and AI? These and other questions were the topic of “Die Presse” expert talk on March 25, 2025.
Participants in the panel discussion were:
- Ulrike Rhomberg, Securities Supervision, Focus on Risk Management and IT Risk (DORA, MICAR), FMA
- Stefan Röder, Governance Expert for Outsourcing/DORA and IT Risk Management in the Financial Sector
- Katrin Repic, Attorney at Law, DORDA Rechtsanwälte GmbH
- Robin Schmeisser, Managing Director, Fabasoft Contracts GmbH
Status quo of DORA implementation in practice
While some aspects of DORA, such as ICT risk management or incident reporting, are already well advanced in terms of implementation, there is still some catching up to do, for example when it comes to ICT third-party provider management and the adaptation of contracts. Katrin Repic believes that hardly any company is fully DORA-compliant in these areas. Financial companies that were previously not or only lightly regulated, such as insurance brokers, investment firms or crypto service providers, are currently still finding it particularly difficult to implement, so the lawyer reports from her practical experience.
One area of ICT third-party vendor management that all panelists consider particularly challenging is the creation of the register of information. In addition to the bureaucratic effort involved, Stefan Röder would like to see more specifications and precise details on the structure of the register and the exact expectations. The national authorities also face challenges, as they have to collect, verify and consolidate a large amount of data from the institutions' registers of information in a very short time, explains Ulrike Rhomberg.
Increasing regulation in the financial sector - opportunity or obstacle?
Through simplification and burden reduction, the EU is pursuing the goal of reducing unnecessary additional work and bureaucracy, according to Rhomberg. However, experts agree that legislation such as the Digital Operational Resilience Act is necessary. According to Repic, DORA has the advantage of providing uniform and clear regulations for all market participants - i.e. a "level playing field" - which makes work noticeably easier from a legal perspective. On the other hand, increasing regulation also affects the competitiveness (especially of start-ups) in the market. However, this is difficult to avoid due to the high security requirements for financial companies and their internal processes, says Robin Schmeisser.
Röder also welcomes a precise set of rules so that everyone involved knows the minimum requirements and the legal framework within which they must operate. This would also avoid unnecessary discussions with contractors, external auditors, and regulators.
Possible approaches for digitalization and AI
For Röder, it is clear that the workload associated with DORA cannot be managed without true digitization. In his opinion, reports such as the information register cannot be implemented manually or by using Excel spreadsheets. No company can avoid using digital tools. However, the governance expert advises to think bigger from the start and to digitize the entire value chain related to the register of information. Otherwise, there will be problems with data quality.
The use of artificial intelligence also offers the potential to increase efficiency by automating selected activities. As an example, Schmeisser cites contract checks for DORA compliance. According to the managing director of Fabasoft Contracts GmbH, it is crucial to look at the entire business process and, for example, combine AI with digital workflows in order to achieve end-to-end digitization.
