Business Continuity – Protecting your baby with DORA


Daniel Rajkumar

On 16 January 2023 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA) came into force. As of 2025 all ECSPR crowdfunding service providers (CSP) must comply. WLCF has been monitoring the developments of the regulation and welcomes the changes.

DORA will require that firms have a comprehensive testing framework, robust business continuity plan, strong ICT risk mitigation and more to protect consumers of regulated financial services. To achieve the objectives, firms are expected to accommodate various contractual clauses to facilitate cooperation between SaaS providers and the regulator.

Many of these protections have been included as standard in the WLCF agreements because we understand the obligations of running a regulated firm. Our board members also serve on the board of regulated firms. Being an approved person on the FCA register means the directors have a duty of care to ensure customers are protected.

In order to prepare, WLCF will:

  • Provide an online Risk Register and assist with the creation of a Risk Management Framework as standard, for all clients
  • Setup a Source Code Escrow service, in case the worst should happen
  • Review our Incident Response and Recovery SLAs, these are already very good, but could be better
  • Provide extended credit, for those times when an investment round takes longer than expected to close
  • Assist with secure password management
  • Provide advice for enhanced security when working with remote employees
  • Review all contractual provisions as per Article 30
  • Assist with the design and setup of an Oversight Framework & cooperate with the Lead Observer
  • Cooperate with enquiries and investigations made by regulators and auditors as necessary

All clients will benefit from these enhancements, prioritising ECSPR clients, directly affected by DORA.

These additional responsibilities are difficult for firms to manage independently. If you have an internally developed platform and would like to discuss the merits of migration, or just want a consultancy project to provide a gap analysis, please contact us.