Category: Expertise strategy
Here’s everything you need to know about the Digital Operational Resilience Act (DORA) which will apply from 17th January 2025.
The Digital Operation Resilience Act (DORA) is an EU regulation designed to improve digital operational resilience for a range of financial entities. Under DORA, financial institutions will be mandated to test, assess and ensure digital operational continuity, adopt robust security networks and respond swiftly to Information Technology (IT) incidents. Published initially in 2022, the regulations will apply from 17th January 2025. Let’s go through the ins and outs of DORA.
The purpose behind DORA is to establish a collective regulatory framework that supports financial institutions and their third-party technology suppliers in mitigating IT risks. This more holistic approach standardises and harmonises existing EU regulations and legislation and helps organisations identify potential IT challenges that could impact millions of customers and the wider economy.
Under DORA, if a financial entity does not comply with the regulations, they can face fines of up to 2% of their global annual turnover.
Under DORA, if a financial entity does not comply with the regulations, they can face fines of up to 2% of their global annual turnover. The fine given will depend on the severity of the violation and also the level of cooperation extended from an organisation to relevant authorities.
Third-party IT providers can also be fined up to $5 million if a breach of the regulations is founded, and again the amount will be dependent on the degree of cooperation demonstrated by the organisation and the severity of the issue.
The onus of reporting IT issues that present a risk is on financial institutions. If self-reporting has not been undertaken, this in itself can be considered a breach of the regulations and result in a fine.
There are four key aspects of DORA that banks need to be aware of to be compliant. Firstly, they will have to ascertain what their critical IT functions are and be able to map them. While financial institutions may have a good sense of what these are, DORA requires more in-depth reviews to be undertaken and documentation to be provided using standardised criteria.
Secondly, these critical IT functions will have to be risk managed through the identification, mitigation and evaluation of the risks associated with them. This will involve stress testing, contingency planning and taking a more structured approach using specific criteria.
Third-party dependencies are another important area as the Act does not simply relate to financial institutions in the EU but also to third-party companies whose services are being utilised. This means that the risks associated with using companies such as data analytics or storage providers will also need to be managed and assessed.
Finally, companies will have to establish a clear framework for how incidents such as cyber-attacks and IT disruptions are reported with an emphasis on promptness and consistency. This reporting element of DORA provides other financial institutions with the benefit of being aware of other critical events that may have a wider impact.
Companies will have to establish a clear framework for how incidents such as cyber-attacks and IT disruptions are reported with an emphasis on promptness and consistency.
Consumers face substantial and multiple challenges if a banking system were to collapse as a result of an IT failure. Whether this impacts an important transfer, intercompany payment, property purchase or social welfare payment, the robustness of financial systems is critical to the everyday lives of most people.
DORA’s harmonised framework and in particular, the stress testing and contingency planning aspects of the regulations aim to prevent potentially significant and detrimental effects on consumers.
Because DORA effectively builds on existing best practices and regulations, preparing to become compliant should not present significant challenges. The real risk is to be complacent.
In the lead up to January 2025, financial organisations should map their end-to-end processes, take any remediation action, look for gaps in their systems and consider closely what they already have in place and what improvements can be made to become compliant with DORA.
Read also:
Ready to find out more?Ask us how we can help you succeed.
Contact us[Blogs_Slider_Arrows]
[Blogs_Slider category=expertise-strategy]
