The Future of Compliance: How DORA Will Transform the Financial Sector
October 2024 by Narendra Sahoo is a director of VISTA InfoSec
The financial industry has long been subject to stringent regulatory standards, especially when it comes to operational resilience and cybersecurity. In December 2022, the European Union published the Digital Operational Resilience Act (DORA) in the Official Journal of the EU, aiming to support the financial sector’s ability to withstand and recover from ICT-related disruptions.
© akva
Set to take effect on January 17, 2025, DORA marks a significant shift in how financial institutions are required to manage operational risks. In the event of non-compliance after the enforcement date, financial organizations may face fines of up to 2% of their total worldwide turnover or 1% of their average daily worldwide turnover, with daily fines applicable until compliance is achieved.
Additionally, individuals in leadership positions of companies may face fines of up to EUR 1,000,000 for DORA non-compliance. So, if you’re in the financial sector, make sure you get your organization DORA compliant. In today’s article, we will explore the reason why DORA compliance matters in the financial sector, its impact, and how to prepare for DORA compliance.
Why does DORA compliance matter in the financial sector?
Compliance with DORA is not just about ticking boxes, it’s about ensuring the long-term operational stability of the financial ecosystem. There are several reasons why financial sector compliance with DORA is important.
1. Heightened cybersecurity threats
With cyberattacks on the rise, financial institutions face constant threats that could disrupt operations, compromise data, and lead to financial losses. As per a report by Sophos around 65% of financial services organizations were hit by ransomware in 2024, which makes us realize how important it is to have a strong security framework to stay operational and resilient during those times.
DORA ensures that institutions take a proactive stance on cybersecurity, mandating stringent risk management and incident reporting mechanisms. By enforcing these measures, DORA helps financial organizations confront cyber threats head-on in case of an attack, ensuring they are prepared to mitigate risks and recover swiftly from disruptions.
2. Regulatory uniformity
Before DORA, financial institutions across the EU operated under different rules for managing ICT risks, leading to inconsistencies and gaps in protection. DORA aims to fix that by establishing uniform regulations across the EU, creating a level playing field for financial entities, whether they’re large or small.
This regulatory consistency means that all financial institutions will follow the same high standards for ICT risk management, reducing opportunities for regulatory arbitrage. More importantly, it strengthens the entire sector’s ability to fend off disruptions, ensuring a higher degree of resilience across all EU member states.
3. Third-party risk management
Today’s financial institutions rely heavily on third-party service providers for critical functions like cloud services, data processing, and cybersecurity. While these partnerships offer convenience, they also introduce significant risks. DORA addresses this by holding financial institutions accountable for managing third-party risks.
This means organizations need to carefully vet their ICT service providers and ensure they meet the same resilience standards as the financial institutions themselves. DORA encourages financial entities to set up strong contracts, monitor their third-party providers closely, and prepare for potential disruptions caused by external vendors. In doing so, it creates a more resilient financial ecosystem where third-party risks are actively managed rather than overlooked.
How will DORA transform financial institutions?
The introduction of DORA will have a far-reaching impact on financial institutions across Europe. Here are some of the key ways in which DORA will transform operations:
1. Stronger ICT risk management frameworks
DORA mandates that financial institutions implement comprehensive ICT risk management frameworks to identify, assess, and mitigate risks throughout their operations. These frameworks must be continuously updated to address emerging threats. Institutions are expected to maintain resilience against ICT disruptions and ensure quick recovery when incidents occur.
DORA Article 5 emphasizes that institutions must integrate ICT risk management into their overall governance, ensuring account ability at the senior management level for monitoring and addressing ICT risks as part of their business operations.
2. Comprehensive incident reporting
DORA introduces strict requirements for reporting significant ICT-related incidents. Financial institutions must promptly notify national authorities about any major ICT disruptions, providing detailed reports on the cause, impact, and remedial actions taken.
Article 17 specifies the requirement for immediate reporting of significant incidents, while Article 18 outlines the need for follow-up assessments, including detailed evaluations of the incident’s impact and the corrective measures taken. This standardization helps authorities gauge the stability of the financial sector and enables faster responses to widespread threats.
3. Tighter oversight of third-party providers
Financial institutions increasingly rely on third-party providers for ICT services such as cloud computing and data storage, which introduces new risks. DORA places responsibility on financial entities to ensure these providers meet the same resilience standards. This includes regular audits, updated contracts, and stronger service level agreements (SLAs).
Article 28 mandates that institutions regularly assess and monitor the risks associated with third-party ICT service providers, ensuring they adhere to DORA’s security and resilience standards to avoid weak links in their digital supply chain.
4. Unified regulatory standards across the EU
Before DORA, ICT risk management regulations varied across EU member states, creating a fragmented regulatory landscape. DORA addresses this issue by introducing a single, unified framework for all EU financial institutions. This ensures consistency in how ICT risks are managed and helps eliminate regulatory gaps.
Article 1 establishes DORA as the overarching regulatory framework aimed at harmonizing ICT risk management rules across all EU member states. This ensures consistency in how ICT risks are managed and helps eliminate regulatory gaps, allowing institutions to operate under the same high standards regardless of their location.
5. Increased operational costs and investments
Compliance with DORA will require financial institutions to invest in upgrading their ICT infrastructure and systems to meet the new regulatory standards. This may lead to increased operational costs, especially for smaller institutions that may struggle to allocate the necessary resources.
However, these investments are crucial for long-term operational resilience. Article 5 emphasizes that institutions must allocate adequate financial and human resources to support their ICT risk management efforts. While this may initially increase operational costs, the long-term benefits of enhanced resilience and reduced risk far outweigh the expenses.
Steps to prepare for DORA compliance
Given the importance of DORA, financial institutions must start preparing well before the January 2025 enforcement date. Here are some key steps to take:
1. Conduct a Gap Analysis
Institutions should conduct a detailed gap analysis to assess where their current ICT risk management and operational resilience practices fall short of DORA’s requirements. This analysis will help prioritize areas that need improvement.
2. Strengthen ICT Risk Management Frameworks
Financial entities need to enhance their ICT risk management frameworks, ensuring they cover the full lifecycle of digital operations. This includes creating comprehensive plans for disaster recovery, business continuity, and incident response.
3. Ensure Third-Party Compliance
Review contracts and (Service Level Agreements) SLAs with third-party ICT providers to ensure they meet DORA’s standards. Regular audits and monitoring will be essential to guarantee compliance throughout the supply chain.
4. Implement Incident Reporting Mechanisms
Financial institutions should establish strict processes for identifying, documenting, and reporting ICT-related incidents. This includes ensuring that reporting is timely and meets the detailed requirements outlined in DORA.
5. Train Employees
Compliance with DORA is not just a technology issue, it requires a culture of resilience. Institutions should train employees across all levels on the importance of operational resilience and how to respond to ICT disruptions.
6. Involve External Auditors for Additional Assurance
External auditors can provide valuable independent reviews of your ICT risk management frameworks, incident reporting processes, and third-party oversight, ensuring that all areas meet DORA’s standards. Their expertise helps institutions identify gaps that internal teams may overlook and ensures a more thorough approach to regulatory readiness.
Conclusion
Staying compliant in today’s rapidly evolving digital world is a challenge, especially with the increasing complexity of cyber threats. The introduction of DORA marks a significant step forward in safeguarding the financial sector by enforcing ICT risk management strategies. By preparing for DORA, financial institutions can ensure they remain operational and resilient, even in the face of severe digital disruptions.
As the January 2025 enforcement date approaches, taking proactive steps toward compliance will not only protect your organization against future risks but will also ensure long-term stability.