UPDATE — SEPTEMBER 2025: Since the article on the EU’s Digital Operational Resilience Act (DORA), the regulation has officially entered into force, and the January 17, 2025 compliance deadline has passed. Financial firms across the EU are now required to prove that their systems can withstand cyber incidents, IT outages, and other disruptions. The European Supervisory Authorities (EBA, ESMA, EIOPA) are coordinating enforcement with national regulators, and compliance is being checked during supervisory reviews and inspections.

Over the past year, the ESAs finalized Regulatory and Implementing Technical Standards that spell out the details of ICT risk management, incident reporting thresholds, resilience testing, and oversight of third-party technology providers. These are now binding and form the baseline regulators use to assess compliance. A major shift is that cloud and IT giants, including AWS, Microsoft, and Google Cloud, may now be designated as critical ICT providers, bringing them under direct EU oversight for the first time.

In the first wave of supervisory reviews in early 2025, banks, insurers, and investment firms were generally found to be progressing but showed weaknesses in third-party risk monitoring and incident reporting practices. No public fines have yet been issued, but regulators in Germany, France, and the Netherlands have made clear that enforcement actions are expected by 2026 against lagging firms.

Globally, DORA’s reach is extending beyond the EU. U.K. and U.S. regulators are watching closely and have already begun referencing DORA principles in their own operational resilience frameworks. This signals that compliance expectations are converging across jurisdictions.

ORIGINAL NEWS STORY:

Financial Sector Braces for Impact of New EU Cybersecurity Regulation, DORA

Entities in the financial sector are running out of time as they prepare for strict new rules from the European Union (EU). The EU took significant steps to protect its financial sector from growing cyber threats with the introduction of the Digital Operational Resilience Act (DORA), a regulation that mandates financial services companies to strengthen their resilience against cyber risks. 

By January 17, 2025, firms operating within the EU’s financial sector will need to demonstrate that their systems are robust enough to withstand significant operational disruptions, especially those caused by cyber threats.

Adopted in December 2022, DORA seeks to ensure that financial institutions can continue to operate smoothly during cyberattacks and other technological disruptions. In an era where ransomware attacks, distributed denial-of-service (DDoS) incidents, and IT outages are becoming more common, the regulation requires financial firms to enhance their IT security. This includes not only traditional banking institutions but also insurance companies, investment firms, and their third-party service providers.

The regulation is part of the EU’s broader effort to build a more secure and resilient financial ecosystem, where operational disruptions do not lead to widespread economic fallout. DORA aims to ensure that firms are prepared for a wide range of potential disruptions, from cyberattacks to natural disasters, and can recover quickly while continuing to serve their clients.

DORA sets out a number of compliance obligations for financial services firms. One of the standout features of the regulation is that it extends beyond internal security measures and includes third-party technology providers as well. This means banks and other financial institutions will need to thoroughly assess their relationships with external IT and cloud service providers.

Under DORA, firms must implement stringent IT risk management practices, which include:

• Incident Management: Firms must have clear processes in place for identifying, managing, and reporting cyber incidents. This includes notifying authorities when a significant disruption occurs.

• Digital Operational Resilience Testing: Regular testing of a company’s digital infrastructure will be mandatory, including simulations of potential cyberattacks. The goal is to ensure that companies are ready for any eventuality.

• Third-Party Risk Management: Firms will be required to conduct assessments of third-party service providers to ensure that these vendors do not introduce undue risk. This involves monitoring outsourcing arrangements and mitigating concentration risks when multiple firms rely on the same critical service provider.

• Information Sharing: DORA encourages information sharing among financial institutions, especially when it comes to cyber threats and vulnerabilities. This will enable the industry to stay ahead of emerging risks.

For many companies, achieving compliance with DORA will require significant investments in technology and cybersecurity infrastructure. One of the major challenges is ensuring that third-party suppliers—especially cloud and IT service providers—also meet DORA’s stringent requirements. Financial institutions are heavily reliant on these third-party vendors, which means any weakness in their systems could have significant consequences for the financial sector. DORA requires firms to develop clear contracts and performance evaluations with these vendors to mitigate risks.

Non-compliance with DORA rules can lead to fines of up to 2% of a firm’s annual global turnover or revenue. Additionally, individual managers within financial institutions could be personally liable, facing fines that can reach €1 million for breaches of DORA. Third-party ICT providers who fail to meet compliance requirements may also be penalized, with fines reaching 1% of their global daily turnover for each day of non-compliance, and up to €5 million for more severe violations. These penalties are designed to ensure that financial firms and their ICT partners prioritize digital operational resilience and safeguard the financial sector from disruptions and cyber threats.

With the January 2025 deadline looming, financial institutions across the EU and around the world are ramping up efforts to meet DORA’s requirements. Many firms are conducting internal audits to identify gaps in their resilience plans, while others are collaborating with cybersecurity experts to ensure that their systems are up to the task.

Need Help?

If you have questions or concerns about any EU or global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.