DORA regulation and the importance of Smart Timing

Anyone involved in financial services will be no stranger to regulation – the sector relies on it to function effectively and fairly. But the past few years, in particular, have seen the introduction of key new pieces of legislation that are pivotal for the direction of the financial world and its relationship with technology. 

The Digital Operational Resilience Act (DORA) is one of these. As the name suggests, the Act has been introduced to achieve a sector-wide upgrade to the digital operational resilience of financial institutions. And in a trend underscored by DORA, timing plays a crucial role here – both for compliance purposes and for deciding where our use of digital infrastructure is headed. 

DORA’s scope: a central role for time

DORA applies to all kinds of financial institutions across the EU. This not only refers to the traditional financial services companies that you’d expect the legislation to cover: banks, investment firms, credit institutions, insurance companies and so on. 

It also includes newer kinds of financial services companies, like crowdfunding platforms and crypto-asset service providers. And in a major new step, it also applies to third-party providers of ICT services to these institutions, such as data centres, cloud platforms, credit rating services and data analytics companies. 

These institutions need to be able to recover from any ICT incidents quickly and with minimal disruption for customers and partners. With DORA now in place, this means new and more stringent obligations for risk management, incident reporting, operational resilience testing and third-party oversight. 

These requirements place a newfound emphasis on the role of timing in financial institutions’ digital infrastructure: to ensure compliance, these institutions will now meet high standards of time synchronisation, and documentation of timing data and processes, as well as making sure that their timing system is resilient enough to withstand spoofing or other forms of cyber attack. 

DORA reiterates a core belief of ours: that accurate timing systems are vital, not optional, when it comes to cybersecurity for financial institutions.  

Hoptroff Smart Timing and DORA compliance

With the deadline of DORA compliance now less than a year away, in January 2025, these issues have taken on a special urgency. 

Hoptroff Smart Timing is designed to provide certainty in an uncertain world of rapid technological change and regulatory compliance. Institutions on Hoptroff time can demonstrate DORA compliance with calibrated timekeeping mechanisms, maintain complete records of timing data, and provide transparent documentation of timing processes. 

Our Smart Timing Software meets the Act’s standards for accuracy, reliability and transparency.  Time synchronisation with down-to-nanosecond accuracy allows you to fully trace events in your digital environment, while our Time Feed derives its time from multiple UTC sources for increased resilience to spoofing or jamming. We also conduct ongoing audits, security assessments and updates to ensure continued compliance. 

The compliance process can be complicated, but it’s one we have deep experience of at Hoptroff, and we’re on hand to support institutions through the changes that the Act has ushered in. 

Beyond DORA: the future of digital infrastructure

Aside from the technical points of compliance, DORA’s introduction should result in a shift in the way we think about digital infrastructure for the financial sector. 

The Act promises enhanced security, but meeting its requirements presents challenges, especially for the smaller institutions among the list above. The new level of rigour expected in testing, risk assessment and incident reporting will inevitably strain their resources, which may lead to an uneven playing field for businesses with fewer of those resources to begin with.

In a post-DORA world, shared infrastructure emerges as a solution to this problem. Hoptroff timing seamlessly integrates into existing infrastructure, in a model we call traceable time as a service. Accurate, resilient and secure time being offered as a utility to subscribe to means that individual institutions are no longer responsible for their own time. Instead, this is handled by dedicated timing experts, reducing the risk of shortfalls in the operational resilience of the industry as a whole. 

In a world continually being reshaped by technology and hyper-connectivity, traceable time as a service simplifies the process of gaining operational resilience.