Experts fire security warning as EU’s DORA comes into play

The deadline for complying with the EU’s Digital Operational Resilience Act (DORA) passes today (January 17). Experts warn that financial institutions must address their cyber fundamentals and look beyond mere compliance with the new regulations.

DORA aims to address threats to financial entities’ ICT infrastructures and enhance their resilience to disruption.

The act, effective from January 2023, addresses various elements of cyber resilience, auditability, and the shared responsibilities of financial institutions and third-party software and IT service providers when these services support business operations.

Resilience must be built into a financial institution’s entire chain, including third-party services, as banks and other firms seek to reduce downtime and other potential disruptions if they are subject to a cyber breach.

According to SecurityScorecard, between August 2023 and August 2024, 98% of the EU’s top companies experienced a breach involving third-party suppliers.

Under DORA financial institutions need to identify and assess the criticality of the third-party service providers they use based on business impact and the level of risk they pose.

Critical moment

The passing of the DORA deadline marks a “critical moment” for financial institutions, according to Dynatrace VP of product portfolio Bob Wambach, who adds that compliance is “essential to maintaining trust” and boosting customer relationships within and outside Europe.

However, Wambach also warned: “Compliance will only take banks so far. Financial services firms both in Europe and the UK must be prepared not just to meet the baseline requirements of DORA, but to empower their teams to respond instantly to operational disruption and cyber incidents. This means going beyond checkbox compliance measures.

“Organisations must prioritise continuous testing of their services and embrace a culture of resiliency first. Converging observability and security data to support real-time, AI-powered anomaly detection is the optimal way to rapidly assess risks before they escalate into full-blown incidents that breach compliance thresholds and leave customers exposed.

“It remains to be seen how strictly EU regulators will enforce the rules surrounding DORA, but one thing is certain: no financial institution wants to be the first to fall short.”

This view of going beyond just compliance was echoed by the director of customer engagement at Resilience, Si West, who warned the new regulations will disproportionately impact smaller financial institutions that “often struggle to maintain transparency with regulators, board members, and other stakeholders while safeguarding sensitive operational details.”

He added that business leaders need to carefully consider vendor risk management. Recent incidents, including last year’s Crowdstrike outage and the MOVEit and Ivanti breaches, illustrate how third-party systems can compromise internal security frameworks.

“With DORA setting a higher bar for operational resilience, financial institutions must go beyond compliance to safeguard their digital infrastructure, protect customer data, and remain agile in the face of emerging threats,” concluded West.

DORA slams shut

The EU has said that now that the deadline has passed, firms found to have breached DORA will have no leeway. Those who haven’t sufficiently prepared for compliance will be vulnerable to sanctions, including fines of up to 2% of their total annual worldwide turnover or, in the case of an individual, a maximum fine of €1,000,000.

It remains to be seen how strictly the EU will actually enforce the legislation or who will become the first to be penalised under the new rules, but the impact could reach beyond only monetary penalties.

Nic Sarginson, principal solutions engineer at Yubico, highlights non-compliance risks.

“Non-compliance with DORA could have significant repercussions for financial firms and their technology providers,” said Sarginson.

“Although specific penalties haven’t been outlined, it’s likely that fines will be proportional to the severity of the breach, much like GDPR. In severe or repeated cases, authorities may even suspend or terminate contracts.

“However, the financial consequences are just one aspect, as organisations that fail to comply also risk serious reputational damage and a loss of trust from customers and partners, which can be extremely difficult to recover from in this industry.

“Achieving DORA compliance isn’t an overnight task. The regulation’s broad scope, which includes requirements for incident reporting and third-party risk management, demands ongoing effort and meticulous planning.

“Nevertheless, prioritising cyber-hygiene and strong authentication practices will not only ensure compliance but also support a culture of cybersecurity excellence, redefining how enterprises approach resilience and risk management.”

Crypto and Cloud

The new rules could create specific challenges for organisations operating a hybrid or multi-cloud setup, warned Emma CEO Dmitry Panenkov, who explained these environments often lack “the integration needed for comprehensive risk management and compliance oversight”.

“Another critical area is ensuring they have a dedicated and mature Digital Resilience Framework. Organisations must be prepared to conduct required annual evaluations and tests, but many are still building the capabilities and processes needed to meet these obligations.

“This includes enhancing real-time risk mitigation strategies and ensuring that data security processes are robust to withstand operational and regulatory scrutiny,” he added.

Cryptocurrency firms must also consider their compliance, as should firms who engage with crypto and other digital coins, according to Bitpace CPO Can Taner.

“DORA’s impact will ultimately herald new levels of transparency in the industry and prove a positive step for building consumer trust in digital payments. DORA can help providers set the stage for straightforward borderless financial commerce, where accepting, sending, and storing digital payments is as smooth as possible,” Taner said.

“In its digital state, commerce requires a constant transfer of data, and in an era when cyber threats and outages are mounting, customers need assurances that their money is in safe hands.

“This is why DORA is important across the board, encouraging companies to take a more proactive approach to security, building out a robust data strategy, rather than mitigating operational risks by allocating capital to cover losses.

“For crypto specifically, DORA, in parallel with the recently introduced MICA guidelines, will also provide the strong regulatory framework needed to legitimise the asset class as a viable and trusted payment solution for businesses.

He concluded, “At a time when many European businesses are dealing with operational challenges and high costs as a result of various geopolitical and macroeconomic factors, crypto offers them the critical alternative gateway they need to remove barriers and continue trading globally.”