Entities in the financial sector are running out of time as they prepare for strict new rules from the European Union (EU). The EU took significant steps to protect its financial sector from growing cyber threats with the introduction of the Digital Operational Resilience Act (DORA), a regulation that mandates financial services companies to strengthen their resilience against cyber risks.
By January 17, 2025, firms operating within the EU’s financial sector will need to demonstrate that their systems are robust enough to withstand significant operational disruptions, especially those caused by cyber threats.
Adopted in December 2022, DORA seeks to ensure that financial institutions can continue to operate smoothly during cyberattacks and other technological disruptions. In an era where ransomware attacks, distributed denial-of-service (DDoS) incidents, and IT outages are becoming more common, the regulation requires financial firms to enhance their IT security. This includes not only traditional banking institutions but also insurance companies, investment firms, and their third-party service providers.
The regulation is part of the EU’s broader effort to build a more secure and resilient financial ecosystem, where operational disruptions do not lead to widespread economic fallout. DORA aims to ensure that firms are prepared for a wide range of potential disruptions, from cyberattacks to natural disasters, and can recover quickly while continuing to serve their clients.
DORA sets out a number of compliance obligations for financial services firms. One of the standout features of the regulation is that it extends beyond internal security measures and includes third-party technology providers as well. This means banks and other financial institutions will need to thoroughly assess their relationships with external IT and cloud service providers.
Under DORA, firms must implement stringent IT risk management practices, which include:
- Incident Management: Firms must have clear processes in place for identifying, managing, and reporting cyber incidents. This includes notifying authorities when a significant disruption occurs.
- Digital Operational Resilience Testing: Regular testing of a company’s digital infrastructure will be mandatory, including simulations of potential cyberattacks. The goal is to ensure that companies are ready for any eventuality.
- Third-Party Risk Management: Firms will be required to conduct assessments of third-party service providers to ensure that these vendors do not introduce undue risk. This involves monitoring outsourcing arrangements and mitigating concentration risks when multiple firms rely on the same critical service provider.
- Information Sharing: DORA encourages information sharing among financial institutions, especially when it comes to cyber threats and vulnerabilities. This will enable the industry to stay ahead of emerging risks.
For many companies, achieving compliance with DORA will require significant investments in technology and cybersecurity infrastructure. One of the major challenges is ensuring that third-party suppliers—especially cloud and IT service providers—also meet DORA’s stringent requirements. Financial institutions are heavily reliant on these third-party vendors, which means any weakness in their systems could have significant consequences for the financial sector. DORA requires firms to develop clear contracts and performance evaluations with these vendors to mitigate risks.
Non-compliance with DORA rules can lead to fines of up to 2% of a firm’s annual global turnover or revenue. Additionally, individual managers within financial institutions could be personally liable, facing fines that can reach €1 million for breaches of DORA. Third-party ICT providers who fail to meet compliance requirements may also be penalized, with fines reaching 1% of their global daily turnover for each day of non-compliance, and up to €5 million for more severe violations. These penalties are designed to ensure that financial firms and their ICT partners prioritize digital operational resilience and safeguard the financial sector from disruptions and cyber threats.
With the January 2025 deadline looming, financial institutions across the EU and around the world are ramping up efforts to meet DORA’s requirements. Many firms are conducting internal audits to identify gaps in their resilience plans, while others are collaborating with cybersecurity experts to ensure that their systems are up to the task.
Need Help?
If you have questions or concerns about any EU or global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.