This regulation requires financial institutions (including banks, insurance companies, investment firms, and third-party service providers) to implement stringent measures to prevent and mitigate cyber threats, and to withstand, respond to, and recover from any IT-related disruptions.
Why is DORA Needed?
The financial sector is increasingly reliant on technology and on tech companies to deliver financial services. This dependence increases vulnerability to cyber attacks and incidents. Poorly managed IT risks can disrupt cross-border financial services, impacting other companies, sectors, and the broader economy.
That’s why the Digital Operational Resilience Act is crucial. DORA aims to ensure the financial sector’s digital operational resilience, safeguarding against these threats and ensuring stability across the entire economy.
Timeline for Implementing DORA
Countdown to launch day
- days
- hours
- minutes
- seconds
The three European Supervisory Authorities (ESAs) — the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) — are developing a set of policy products to facilitate the implementation of DORA.
Does DORA Impact Your Organisation?
Twenty different types of financial services organisations of all sizes will be affected by the Digital Operational Resilience Act, including:
The Five Pillars of DORA
DORA is built on five key pillars focused on IT risk management, reporting, and testing. Each pillar is designed to ensure that financial organisation can withstand, respond to, and recover from IT incidents effectively.
ICT Risk Management
Identify and manage risks related to information and communication technology (ICT).
Incident Reporting
Report IT related incidents promptly and accurately to regulatory authorities.
Digital Operational Resilience Testing
Regularly test systems and processes to ensure they can withstand and recover from disruptions.
Management of Third-Party Risks
Manage and monitor risks associated with third-party service providers.
Information Sharing
Share information about threats and incidents with other financial entities and regulators.
The Consequences of Non-Compliance
You have until 17 January 2025 to be compliant with the requirements of DORA. Organisations found to be non-compliant with DORA may be fined up to 1% of their average daily global turnover from the previous year. This fine can be levelled daily until the organisation is found to have attained compliance, meaning significant fines can be applied for non-compliance, especially over a protracted period.
As a result, you should look to carry out a gap analysis against the requirements of DORA and the five pillars as soon as possible to ensure you have sufficient time to implement any identified remediations ahead of the January deadline.
Who Will Enforce These Penalties?
Now that the DORA proposal has been formally adopted, EU member states will now pass national legislation to transpose its aspects into law. Concurrently, the European Supervisory Authorities (ESAs) will develop technical standards for all financial services institutions, covering sectors from banking to insurance to asset management. National competent authorities will oversee compliance and enforce the regulation as needed.
How Can We Help?
Your Roadmap to DORA Compliance
DORA requires a strategic roadmap that addresses key requirements and ensures robust operational resilience within the financial sector.
Take a look at our roadmap to success which outlines seven essential steps to achieving and maintaining compliance, enhancing operational resilience, and gaining cyber security readiness ahead of the 2025 deadline.
- Current State Assessment and Gap Analysis
- Develop a Compliance Strategy
- Enhance Risk Management Frameworks
- Establish Incident Response Protocols
- Conduct Operational Resilience Testing
- Manage Third-Party Risks
- Monitoring and Continuous Improvement
