EU’s Digital Operational Resilience Act Officially Enforced 

The EU’s Digital Operational Resilience Act (DORA) is officially here and financial entities are expected to be compliant with DORA as of 17th January 2025.  

This follows a two-year transition period after the legislation was passed in January 2023.

DORA aims to strengthen the IT security of financial entities such as banks, insurance companies and investment firms.

The Act looks to ensure that the financial sector in Europe can stay resilient in the event of a severe operational disruption to digital services.

DORA covers the following areas:

- ICT risk management

- ICT third-party risk management

- Digital operational resilience testing

- ICT-related incident reporting

- Information sharing

For organisations that fall under the remit of DORA, compliance is non-negotiable.  

Read more about how DORA impacts financial institutions here.

Organisations that fail to comply with the DORA risk facing a range of significant and far-reaching consequences including fines and reputational damage.

Fines for non-compliant organisations can be up to 2% of their global annual turnover or €10 million, whichever is higher.

It’s not just the financial institutions that face consequences for non-compliance, critical third-party ICT providers may face fines as high as €5 million.

These third-party organisations may also face fines of up to 1% of their average daily global turnover for each day of non-compliance, for up to six months.

Speaking ahead of the 17^th January deadline, Forrester Senior Analyst, Madelein van der Hout, noted, “Financial institutions are at varying stages of preparedness for DORA as the compliance deadline approaches.”

“While many organisations have made progress in adapting to the Act's requirements, DORA represents a significant shift in how digital operational resilience is managed.”

Van der Hout also noted that DORA does not just apply to organisations within the EU but also financial institutions with connections to the region and cross-border operations.

“DORA also establishes a global benchmark for operational resilience in financial services. Companies in North America and APAC will likely align their practices with DORA to remain competitive, ensure interoperability with EU clients and strengthen their operational resilience,” she said. 

As with many cybersecurity regulations, maintaining compliance will be an ongoing effort for all organisations impacted by the legislation.

Jason Smith, Senior Principal, Strategy & Transformation at Conga, noted that while the transition period for DORA has drawn to a close, organisations must remain vigilant even if they have achieved initial compliance.

“DORA is not a one-time effort,” Smith noted, “Firms must continuously refine their resilience strategies and stay prepared for potential regulatory updates. Organisations should remain proactive, ensuring they meet the current requirements but are also in the best position to adapt to future legislation.”

One ongoing element that security leaders will need to consider is their third-party risk management in relation to critical ICT third-party service providers to the financial sector. 

Understanding the risks from third parties and their suppliers is vital to understanding overall resilience. Organisations must be able to recognise which suppliers to monitor, which ones have access to data and networks, and if those suppliers are vulnerable to cyber-incidents.

In an article written for Infosecurity Magazine, cybersecurity expert and consultant, Harman Singh, noted, “DORA compliance isn't just a regulatory hurdle; it's an investment in your future. By complying with the regulation, you gain a competitive edge, attracting clients and investors who value your improved security posture.” 

Overall, this legislative framework emphasizes comprehensive risk management, incident reporting, regular system testing, third-party risk management, governance integration, and information sharing, collectively fortifying the financial sector against ICT-related threats and disruptions.

The Digital Operational Resilience Act represents a significant step forward in enhancing the IT security and operational resilience of financial entities across Europe and beyond.

While compliance has been challenging, after a two-year transition period, impacted businesses are expected to be properly prepared. Those who fail to implement the outlined requirements face substantial penalties.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?