DORA the Resilience Explorer: Navigating the New EU Financial Regulations

Martin Lewis, Cyber and Operational Sales Manager of Daisy Corporate Services

Due to the sensitive data they hold, financial services providers must continually mitigate against cyber security threats and operational disruption. As the average cost of a data breach in the sector has increased to $4.88 million in the last year, it’s little surprise that cyber security remains the top risk for European banks. Alongside third-party risks, rapid technological changes and an evolving regulatory landscape, financial service providers face a growing challenge.

To increase the resilience, security and competitiveness of Europe’s financial sector, the European Supervisory Authorities (ESAs)have introduced the Digital Operational Resilience Act (DORA). This regulatory framework covers key areas such as ICT risk management, ICT-related incident management and reporting, digital operational resilience testing and the management of ICT third-party risk.

Effective from 17^th January 2025, the regulation mandates that financial institutions adopt rigorous measures to prevent, mitigate, respond to and recover from incidents. The ESAs have the power to impose fines for noncompliance of up to 2% of their total annual worldwide turnover, and an individual could face a maximum fine of €1 million.

The 7 steps to success   

With the regulatory deadline approaching, businesses must take decisive steps to achieve and maintain compliance. The following steps provide a structured approach for organisations to ensure compliance, manage third-party risks, and continuously improve their operational resilience in an evolving threat landscape.

1. Assessment and analysis: Organisations will need to assess their current IT infrastructure, including any potential IT risks such as cyber security threats and third-party dependencies. Collaborative analysis can be useful to support an effective assessment and gain insight into all business operations. Risk management practices and incident response capabilities should also be evaluated against the DORA requirements, especially those concerning critical materials or assets. Any gaps and vulnerabilities that require attention and mitigation must also be identified at this stage.
2. Develop a compliance strategy: Once the risk assessment is complete, a detailed plan is required that addresses all vulnerabilities across the organisation. This compliance strategy should clearly define roles and responsibilities in the event of an incident, as well as allocate organisational resources where they are needed most. Clear timelines should be set for each milestone to support a smooth transition to reach DORA compliance.
3. Enhance risk management frameworks: IT risk management processes will need to be enhanced by incorporating DORA’s requirements into the existing risk management procedures. This should include regular risk assessments, vulnerability management, and threat intelligence monitoring to effectively identify mitigate risks. Third and fourth-party service providers will also need to be analysed for potential vulnerabilities.
4. Establishing incident reporting protocols: Developing clear and efficient incident reporting procedures is also essential for maintaining DORA compliance. This involves setting up structured processes for both internal and external communication regarding IT incidents. Organisations need to ensure that everyone responsible for these protocols clearly understands their roles and responsibilities.
5. Conducting operational resilience testing: Regular stress testing of IT systems should be scheduled and executed to assess the organisations resilience against disruptions. These tests need to be comprehensive and mirror real-world scenarios to be most effective. Operational resilience should be regularly evaluated through methods such as penetration testing, red team exercises, and business continuity testing.
6. Managing third-party risks: Any risks associated with third-party service providers must be diligently assessed and managed via contractual safeguards and regular monitoring of DORA compliance. Existing third-party contracts should also be analysed to ensure that they meet the framework requirements.
7. Monitoring and continuous improvement: It is essential for organisations to continuously monitor compliance efforts and measure progress against DORA requirements. As new cyber threats evolve and regulations are updated, resilience strategies should be evaluated and improved to ensure continuous compliance. By making improvements as needed, the system can be refined and optimised.

Starting early

By meeting the specific requirements of the DORA regulation, financial services providers will be well-placed to safeguard their customers, protect their reputation and avoid non-compliance fines.  

However, as new digital challenges and trends emerge, organisations must continue to be proactive with their operational resiliency plans and strategies.  Resiliency best-practice is a process of continuous evolution and improvement, and organisations across the sector will need to be ready to adapt to the increasingly digital and rapidly evolving world.