Jason Smith, senior principal, strategy and transformation at Conga
The Digital Operational Resilience Act (DORA) officially took effect as of 17th January 2025, mandating strict requirements for information and communications technology (ICT) risk management, incident reporting and third-party oversight. Now, as regulators begin enforcing these rules more rigorously, financial institutions must move beyond compliance checklists and focus on building a resilient cybersecurity posture. Key IT security aspects organisations should prioritise moving forwards, include:
- ICT risk management – financial institutions need to understand internal and external threats, evaluate their impact and develop appropriate strategies to mitigate them
- Incident reporting – organisations must be transparent about data incidents and have robust systems to detect, report and analyse all incidents
- Digital operational resilience testing – organisations must conduct a range of assessments and testing to demonstrate compliance and safety at all times
- Third-party risk management – financial institutions have a responsibility to conduct due diligence and monitoring third-party risk
- Information sharing – this includes establishing a framework for information sharing and ensuring this is done confidentially and in compliance with current data protection laws
Strengthening IT security posture
DORA was designed to strengthen the operational resilience of financial entities operating in the European Union (EU) by enhancing how businesses mitigate, document and react to potential threats and vulnerabilities. Unlike previous regulations, it applies to all organisations operating in the financial services sector, whether traditional or digital banks, payment institutions, insurance or asset managers, credit institutions or private equity firms. As of January, all of these businesses are accountable for detailing the oversight and management process of critical third-party providers within their ICT risk management frameworks.
These mandates initially provoked concern amongst industry leaders, particularly given the lack of clarity regarding key items and terms, which included the definition of ‘critical’ and which companies qualified as critical third-party (CTP) providers. Industry bodies such as the Futures Industry Association (FIA) responded back in September 2023 to the European Supervisory Authorities’ (ESAs) list of consultations on the policy products of DORA. The FIA also asked for transparency regarding how ICT-related incidents were classified.
However, the main consequence of the DORA mandates has been the penalties that will now be enforced if financial institutions are not compliant. Any firm that violates DORA’s requirements could face fines of up to two percent of their total annual worldwide turnover, and an individual could receive a maximum fine of €1,000,000.
Remaining compliant and mitigating risk
With the deadline having passed it is crucial that businesses stay on top of their operations and implement the appropriate risk protocols. The first step is understanding the regulation and how it applies to the organisation and current partners. Naturally, this will require regularly reviewing, and updating, processes and third-party agreements. One way to approach this is to conduct a gap analysis comparing an organisation’s current performance to the desired performance of the existing contracts and by assessing ICT third-party risks on a regular basis.
In light of the CrowdStrike outage in July 2024, which left 8.5 million Microsoft devices disabled, understanding third-party risk is going to be crucial in the year ahead. In order to ensure something like this does not happen again (or if it does, ensuring financial entities are insulated appropriately from the downstream effects), regulatory bodies will be monitoring businesses far more closely, questioning third party providers on their security measures and where they keep valuable customer information; financial institutions will need to hold their chosen vendors accountable.
The new regulatory landscape: further legislation?
However, DORA is not the only piece of legislation financial institutions need to contend with this year. The NIS2 directive will also establish a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU. The directive has extraterritorial reach, meaning that it applies to companies operating in the EU, even if they are based outside of the EU, and imposes personal liability on management bodies for non-compliance.
There is also the revised Markets in Financial Instruments Directive II (MiFID II), the ongoing impact of General Data Protection Regulation (GDPR) and new Environmental, Social and Governance (ESG) reporting obligations. Similarly, the UK Government is expected to introduce the Cybersecurity and Resilience Bill later this year as a means of strengthening the nation’s cyber defences and ensuring critical infrastructure and digital services are secure and resilient. All of which are shaping financial institutions’ operational strategies for 2025 and beyond.
It appears that DORA may just be the start of further regulatory updates that financial institutions can expect over the next few months. It is vital that organisations have the right policies, processes and technology in place to ensure that they are compliant and ready to adapt to the evolving regulatory landscape.
The post-DORA age
With the DORA regulations now fully enforced, financial institutions need to ensure that they understand what is being asked of them and review their third-party contracts both old and new. The post-DORA age has set clear objectives for businesses; compliance is a continuous process, not a one-time effort. Establishing operational resilience will be standard, so organisations will need to review processes and their technology stack far more regularly and stay on top of regulatory updates. The best way a business can do this is by systematically reviewing their data and investing in the right technologies to ensure that they are agile and flexible – ready to adapt and comply with future regulatory requirements and stay ahead of the latest cybersecurity threats.
