UPDATE — SEPTEMBER 2025: Since the article on the EU’s Digital Operational Resilience Act (DORA), the regulation has officially entered into force. EU financial firms now must prove that their systems can withstand cyber incidents, IT outages, and other disruptions. The European Supervisory Authorities (EBA, ESMA, EIOPA) are coordinating enforcement with national regulators, and compliance is being checked during supervisory reviews and inspections.

Over the past year, the ESAs finalized Regulatory and Implementing Technical Standards that spell out the details of ICT risk management, incident reporting thresholds, resilience testing, and oversight of third-party technology providers. These are now binding and form the baseline regulators use to assess compliance. A major shift is that cloud and IT giants may now be designated as critical ICT providers. That brings them under EU oversight for the first time.

In the first wave of supervisory reviews in early 2025, banks, insurers, and investment firms were generally found to be progressing but showed weaknesses in third-party risk monitoring and incident reporting practices. No public fines have yet been issued, but regulators in Germany, France, and the Netherlands have made clear that enforcement actions are expected by 2026 against lagging firms. Globally, DORA’s reach is extending beyond the EU. U.K. and U.S. regulators are watching closely and have already begun referencing DORA principles in their own operational resilience frameworks. This signals that compliance expectations are converging across jurisdictions.

ORIGINAL NEWS STORY:

Financial Sector Braces for Impact of New EU Cybersecurity Regulation, DORA

Entities in the financial sector are running out of time as they prepare for strict new rules from the European Union (EU). The Digital Operational Resilience Act (DORA) sets a high bar for how financial services companies must handle cyber risks, requiring them to prove that their systems can withstand operational disruptions by January 17, 2025.

Strengthening Cyber Defenses

Adopted in December 2022, DORA aims to ensure that banks, insurers, investment firms, and third-party providers can maintain critical operations even during cyberattacks or IT outages. The regulation reflects growing concerns over ransomware, DDoS attacks, and digital infrastructure failures that can ripple across economies. By mandating that firms demonstrate strong internal controls and recovery procedures, DORA strengthens the EU’s broader financial resilience strategy. The regulation also expands accountability to include key technology vendors, creating shared responsibility across the entire digital supply chain.

Core Requirements Under DORA

Financial institutions must now follow detailed obligations for ICT risk management, including how they identify, assess, and report cyber incidents.

• Incident Management: Firms must have clear, documented processes for identifying, responding to, and reporting significant incidents. Authorities must be notified promptly when disruptions occur.
• Resilience Testing: Regular, realistic testing of digital infrastructure is now mandatory. These exercises simulate potential attacks to confirm that systems can recover quickly and data integrity remains protected.
• Third-Party Risk Oversight: Firms must evaluate and monitor third-party service providers to prevent dependency risks. This includes cloud and IT vendors that could expose financial systems to new vulnerabilities.
• Information Sharing: The regulation encourages collaboration across the financial sector, promoting shared awareness of threats and vulnerabilities to strengthen collective defenses.

Compliance and Enforcement

Compliance with DORA will require significant investment and preparation. Firms face penalties of up to 2% of annual global turnover for violations, while senior managers can be fined up to €1 million for severe breaches. Third-party ICT providers could also face daily fines of up to 1% of global turnover for each day they fail to comply. To meet the deadline, companies are conducting audits, updating vendor contracts, and aligning policies with EU cybersecurity standards. While compliance may be costly, regulators argue that proactive resilience will reduce the long-term risks of catastrophic digital failures.

Need Help?

You probably have questions or concerns about any EU or global guidelines, regulations and laws. Therefore, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.