Giles Inkson, Director of Services, EMEA at NetSPI
The clock is ticking for financial institutions to strengthen their cyber defences with DORA (Digital Operational Resilience Act) coming into enforcement on 17th January 2025.
Introduced in response to increasingly sophisticated cyberattacks targeting banks, insurers, payment firms, and other financial entities, DORA sets out a formidable new regulatory landscape to ensure the sector’s continued stability and trustworthiness.
The stakes are high, cybercrime is forecast to cost the world £8.6 trillion by 2025 (equivalent to over $10.5 trillion), according to estimates from Cybersecurity Ventures, underscoring the urgent need for greater digital resilience.
Where businesses should be right now on their DORA journey now
As we fast approach the upcoming deadline, financial institutions should already be deeply entrenched in their compliance efforts. While full readiness isn’t expected by mid-January, regulators and stakeholders will be looking for demonstrable progress. Businesses should, by now, have identified gaps in their operational resilience strategies and set clear, actionable plans to address them.
A measured approach to compliance means prioritising critical areas first, such as understanding third-party risk, shoring up cybersecurity measures, and establishing robust incident response frameworks. For many firms, this also involves collaboration across the organisation, ensuring that resilience isn’t confined to the IT department but woven throughout different departments.
Proactive planning is key. Those organisations that still haven’t taken initial steps face a steep climb, but the emphasis on clear, visible progress provides a lifeline – one that must be seized immediately. A last-minute scramble will only expose vulnerabilities and risk both reputational damage and regulatory penalties.
What the future looks like once DORA into effect
Once DORA takes full effect, the financial sector will function with a heightened awareness of vulnerabilities and a culture rooted in resilience. The era of reactive problem-solving will give way to proactive management of risks, with firms required to demonstrate regular testing of their defences and robust mechanisms for handling disruptions. This includes annual basic penetration tests and advanced threat intelligence-based exercises every three years.
One significant shift will be the focus on supply chain resilience. Financial institutions will need to maintain a comprehensive view of their third-party relationships, ensuring that suppliers meet stringent operational resilience standards. Cyber risks rarely respect organisational boundaries, and DORA recognises that a single weak link can compromise the entire ecosystem.
Organisations that treat resilience as a continuous journey, rather than a box-ticking exercise, will set the standard. These firms will not only meet compliance requirements but will also cultivate trust among customers, regulators, and partners, positioning themselves as leaders in a more secure financial ecosystem.
Why firms shouldn’t rest on their laurels
The January 2025 deadline is not the end of the road but a waypoint on an ongoing journey. Cyber threats continue to grow in sophistication, with hybrid threats combining physical and digital vulnerabilities becoming increasingly prevalent. Meeting DORA’s initial requirements is merely the foundation. Maintaining compliance and resilience will require constant vigilance.
Firms must essentially embed resilience into their operational DNA. This means conducting regular red teaming exercises to simulate attacks and test defences. This ensures the continuous monitoring of systems and staying informed of the latest threat intelligence. It also calls for a forward-looking approach to innovation, integrating advanced technologies like AI and machine learning to enhance threat detection and response.
Crucially, operational resilience is about mindset as much as it is about infrastructure. Organisations that embrace DORA as an opportunity to evolve, rather than a compliance burden, will be better equipped to adapt to future challenges. The financial sector’s interconnected nature means that resilience at one firm contributes to the broader security of the ecosystem. This is a responsibility that no organisation can afford to ignore.
It’s not too late to take action
With just weeks to go, businesses must move decisively to prepare for DORA if they haven’t already. This is about more than avoiding regulatory scrutiny or fines. It is about protecting customer trust and ensuring the stability of the financial system. The measures being implemented now will lay the foundation for a more secure and resilient future.
The financial sector is uniquely positioned to lead by example. By demonstrating how collaboration and robust preparation can counteract the growing complexity of cyber threats, organisations can position themselves for success. Time is running out, and those that act now will be better placed to navigate the challenges ahead while contributing to the broader safety and stability of the industry.
