Institutions will need to comply with the regulation from 17 January 2025. In this article, we explore compliance with DORA and consider the opportunities it presents for financial institutions.
The Digital Operational Resilience Act (DORA) is an EU regulation designed to make financial entities more resilient against cyber-attacks and other Information and Communication Technology (ICT) risks, including a focus on third-party providers.
Under DORA, financial institutions such as banks, investment firms and insurance companies, among others, will be mandated to test, assess and ensure digital operational continuity, adopt robust security networks and respond swiftly to ICT incidents. By introducing clear guidelines on detecting and protecting against ICT risks, and containing and recovering from incidents, the regulation seeks to safeguard the stability of the financial system.
According to a report by the International Monetary Fund in April 2024, extreme losses from cyber incidents are increasing, with the financial sector ‘uniquely exposed’. The report finds that attacks on financial firms account for almost one-fifth of all incidents with the sector suffering more than 20,000 cyberattacks and $12 billion in losses over the past two decades.
With the sector’s growing reliance on third-party service providers, the resilience of the ICT supply chain is equally vital to protect against attacks, such as the ransomware attack on C-Edge Technologies, a technology provider in India, which impacted payment systems at almost 300 local banks.
It is, then, no surprise that the consequences of non-compliance with DORA are hard-hitting. Under the regulation, if a financial entity does not comply with the regulations, they can face fines of up to 2% of their global annual turnover. The fine given will depend on the severity of the violation and the level of cooperation extended from an organisation to relevant authorities.
Critical third-party ICT providers can also be fined up to £5 million if a breach of the regulations is found, and again the amount will be dependent on the degree of cooperation demonstrated by the organisation and the severity of the issue.
Under the regulation, if a financial entity does not comply with the regulations, they can face fines of up to 2% of their global annual turnover.
Organisations in the financial space may be concerned as time is ticking to achieve compliance with DORA ahead of January’s deadline. However, in many respects, the Act is a way to bring various existing guidelines under one piece of compliance legislation.
Some of DORA’s requirements already exist in other directives, regulations and standards and in many cases, firms are likely to have suitable controls already in place that can be updated to incorporate the new regulation. This means compliance may be as straightforward as enhancing existing processes to bring them up to speed with DORA.
However, what is important is for institutions to identify where the gaps are and then plan and deliver the remediation of these gaps, including embedding suitable controls and processes into business-as-usual.
The bar will be raised for critical third-party ICT providers to meet stringent requirements to security, availability, quality, and scalability of respective services to financial entities under DORA. EU financial services regulators will be able to make audit and inspection requests of ICT providers, which forces them to create open and transparent approaches to outlining operational resilience. ICT providers must ensure their IT, legal, compliance and business stakeholders are aligned on regulatory audit and inspection requirements.
Financial entities should introduce a framework to track and document all relevant information, including ICT assets and infrastructure. Firms must use the framework to consistently track ICT risk, including potential issues linked to third-party providers, and be aware of cybersecurity threats. These inventories must be reviewed frequently to ensure there are no new risks.
As part of this process, businesses should look at what regulatory processes and controls they already have in place and leverage these where possible, because DORA is largely bringing together existing rules and requirements.
Financial institutions are accustomed to a much needed ‘compliance burden’, to protect consumers and keep the crucial financial sector stable. DORA could be seen as an opportunity to carry out a thorough audit, streamline controls and protections, and introduce an extra layer of security.
Businesses should look at what regulatory processes and controls they already have in place and leverage these where possible, because DORA is largely bringing together existing rules and requirements.
Consumers face substantial challenges if a banking system were to collapse as a result of an IT failure or breach. Whether this impacts an important transfer, inter-company payment, property purchase or social welfare payment, the robustness of financial systems is critical to the everyday lives of most people.
DORA’s harmonised framework and, in particular, the stress testing and contingency planning aspects of the regulations aim to prevent potentially significant and detrimental effects on consumers in the case of an incident, therefore increasing the safety and confidence of customers in the financial system.
Ensure your business is compliant with DORA ahead of 17 January 2025.
