Why is DORA Needed, and What Are The Changes?

From 2025, the Digital Operational Resilience Act (DORA) will go live and represents¹ an industry-wide realisation to prioritise² operational resilience at financial institutions³. Third-party dependencies providing managed services are a focus⁴ after successful attacks on firms that may not have met the required standards⁵, which resulted in severe and repeated outages or worse, cybercrime⁶. By design, DORA ensures financial institutions have correctly categorised the importance of third-party dependencies and the dependency has relevant processes, controls and reporting in place.

What Short- and Long-Term Impact Will DORA Have?

Multiple clients have already begun incorporating DORA, categorising CJC as a critical vendor and requesting confirmation and transparency on CJC's ICT (Information and Communications Technology) processes and controls – windows into any potential threats detected, managed, and resolved.

In the long term, there is an emerging trend where aspects of client infrastructure and data are migrated from a CJC-hosted environment back into a client-hosted one, with little to no impact on the client-CJC relationship. The client sentiment is if their data and infrastructure are hosted in a proprietary cloud environment, enabling the capability to control third-party dependency connectivity, they are in a better position to meet the new standards.

The client data and infrastructure preference for over a decade is moving back to the client, which Peter Williams, CJC’s Chief Technology Officer, touched on in a recent panel discussing “The Future of Capital Markets Technology⁷.”

The preference change is not unheard of. When CJC first embraced the cloud⁸ with AWS in 2011, obtaining client support for the technology was challenging. ‘Cloud’ was a dirty word with ‘hosted’ as the preferred recommendation. Ironically, ‘hosted’ was largely unheard of just a few years before.

The low-latency explosion during the mid-2000s, wonderfully played out in Michael Lewis's must-read “Flash-Boys” changed all that with client computer rooms getting smaller and instead deploying the technology at Equinix, BT Radianz, CenturyLink, Interxion, etc. While CJC supported these migrations, a base of operations was implemented from Equinix and by 2013, providing a managed service without this component was rare.

Is DORA a Concern For CJC Clients?

CJC has a long-standing ISO 27001 certification, embedding these standards into our DNA, and is vital for an industry already embracing cloud, open source, and next-generation AI technologies. Many of DORA’s requirements are already part of CJC’s standards and we look forward to further enhancing transparency and client reporting.

With CJC’s 25^th anniversary fast approaching, the team has witnessed and moved alongside the technology trends and regulatory changes in the capital markets for a quarter of a century. Also, CJC does not derive revenue from infrastructure-as-a-service (IaaS), which means CJC is capable of scratching infrastructure costs from services to continue supporting clients reverting to this model. DORA is another way to demonstrate CJC’s world-class, multi-award-winning⁹, 24x7x365 managed service¹⁰.

Security is CJC’s top priority, and since 2018, all services have complied with ISO 27001-based standards. The business is well-positioned and ready to support client requirements around DORA and its global equivalents. All CJC services enjoy state-of-the-art security tooling, like Google Chronicle AI, and we work with leading security partners like SEP 2¹¹ to ensure the latest standards are met.

Peter Williams, Chief Technology Officer said, "CJC treats its position as a critical third-party supplier of market data-managed services to the capital market community seriously. Security is our top priority. Like our recognised market data and technological expertise, CJC is at the bleeding edge of operational resilience and third-party dependency requirements. No matter the service level, DORA-compliant standards and transparency are out-of-the-box from CJC."