Numbers never lie. The second most targeted industry in terms of
hacking and breaches is Finance, which was the victim somewhere in
the realm of 2,306 to 2,792 cyberattacks in 2023 (depending on the
source). With each data breach costing an average of $6.08 M (+3.05% YoY), it’s clear that this
is a top priority for InfoSec and Compliance leaders alike. These
compromises (cyberattacks + system and human errors) affected 61 million people in 2023, which represents a
skyrocketing increase of 258% since 2018.
Despite the growing number of regulations and processes set in
place to control and protect the sector, financial services
organizations have the highest average number of exposed sensitive
files (450,000), and more than 64% of these companies
have more than 1,000 critical files accessible to any employee.
To respond to the permanent cyber threats, the EU has enacted
the Digital Operational Resilience Act, known by its acronym,
DORA.
What is DORA?
The Digital Operational Resilience Act will come into effect on
17 January 2025. This act is a response to the growing
vulnerability of financial institutions to cyberattacks as they
integrate more technology into their operations. This sector’s
digital operational resilience is crucial, as poorly managed
information and communications technology (ICT) risks can lead to
disruptions in cross-border financial services, affecting various
industries and broader society.
Thus, the purpose of DORA is to fortify the IT security of
financial institutions like banks, insurers, investment firms,
payment providers and their ICT services to ensure the European
financial sector remains solid in the event of major operational
disruptions.
As part of the EU Digital Finance Package adopted in 2020, DORA
complements other European regulations like GDPR and the NIS
Directive, contributing to a safer and more resilient financial
ecosystem.
Who needs to comply with DORA?
It is estimated that 22,000 European financial companies, ICT
service providers, and also supportive ICT structures outside the
EU shall abide by DORA.
How does DORA work?
As DORA’s regulatory requirements continue to evolve,
financial institutions must implement a strong framework for
operational resilience, risk management and incident response. The
growing complexity of regulatory obligations and the need for
efficient, interconnected compliance across the financial sector
demand a unified and automated approach to managing resilience and
risk.
DORA standardizes operational resilience regulations for 20
diverse types of financial entities and ICT third-party service
providers within the financial sector.
The act covers six key pillars:
1. Digital operational resilience testing
Low-level and high-level testing
2. ICT-related incidents
Core requirements are outlined for information and
communications technology
Incident reporting obligations for major ICT disruptions
3. ICT risk management
Guiding principles and regulatory requirements for ICT risk
management
4. ICT third-party risk management
Monitoring third-party service providers
Critical contractual clauses
5. Information sharing
Cyber threat intelligence exchange
6. Oversight of critical third-party
providers
Regulatory framework for critical third-party ICT services
Penalties for not complying with DORA
Failing to comply with the Act’s requirements can lead to
serious financial consequences for the following parties:
Companies: Up to 2% of the total annual
worldwide turnover OR up to 1% of the average daily turnover
globally
Individuals: Up to €1,000,000
Third-party ICT service providers: Up to
€500,000 for individuals; €5,000,000 for companies
Challenges in complying with DORA
Rome wasn’t built in a day, and neither will your
operational resilience. DORA’s wide scope, covering various
financial entities and third-party providers, presents significant
compliance challenges, especially for smaller firms.
Implementation complexity: DORA requires
financial institutions to overhaul their operational frameworks,
often involving integrating new systems for risk management and
incident reporting
Third-party risk management: DORA’s strict
oversight of third-party providers increases complexity, mainly
when dealing with large, global service providers
Cyber incident reporting: DORA’s strict
reporting requirements, especially the tight timelines for initial
and intermediate notifications, can be challenging to meet,
particularly during large-scale cyberattacks
Resource intensity: Compliance with DORA
demands significant financial and human resources, including hiring
new staff, investing in technology, and ongoing training. Smaller
firms may face particular challenges
EU-wide compliance and enforcement: Enforcing
uniform compliance across EU member states, each with their own
regulatory framework, can be challenging for multi-national firms.
Coordinating with national authorities adds administrative
burdens
Operational resilience testing: Continuous
testing of ICT systems, including penetration testing and stress
testing, is resource-intensive and can disrupt operations if not
managed carefully
Evolving cyber threat landscape: Keeping pace
with the evolving cyber threat landscape while adhering to
DORA’s strict requirements requires constant vigilance
Data protection and privacy: Incident
reporting and monitoring involve handling sensitive data, requiring
compliance with DORA and the GDPR
Coordination with existing regulations:
Aligning DORA with current international and national regulations
without creating overlaps or conflicts is a complex task
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.