By Wayne Churchill, Chief Executive Officer, NormCyber
The Digital Operational Resilience Act (DORA) is the latest in a series of stringent regulatory measures introduced by the European Union. Focused on tightening digital operational resilience measures and elevating IT security, DORA will introduce a synchronised approach to security standards across the EU’s financial sector and beyond, as companies servicing finservs within the bloc will also be affected.
With non-compliance resulting in severe fines, organisations have just half a year to get up to speed with DORA’s requirements and demonstrate to customers, peers and regulators that they follow best practice when it comes to operational resilience and risk management.
What is DORA, and who does it impact?
DORA targets financial entities across the EU including banks, insurance companies, investment firms and critical third-party organisations providing ICT or data services to the financial sector.
Lawmakers unveiled the first set of regulatory standards in January 2024, which consist of:
- Harmonising ICT risk management and governance
- Incident response and reporting
- Third-party risk management
- Digital operational resilience testing
In the UK, the Financial Conduct Authority (FCA) already has operational guidelines in place and actively investigates the cyber hygiene of regulated bodies – reviewing their cyber security strategies, safeguarding of critical assets, and incident response approach. However, whilst there are partial similarities between the FCA and DORA requirements, there are certainly distinctions, too.
UK regulations apply to financial entities such as banks, insurers, and payment firms, whereas DORA covers a broader spectrum including service providers in areas such as crypto-assets and data reporting. The most overlap will be seen in firms operating across both the UK and EU, but DORA introduces new requirements, particularly surrounding operational resilience testing and threat intelligence sharing.
Why is DORA needed?
There are several crucial reasons for DORA’s introduction, and regulators hope it will achieve a streamlined, well-rounded approach to digital operational resilience.
- Mitigating against cyber security threats
Cyber-attacks can disrupt essential services, compromise sensitive data, and inflict significant financial and reputational damage on organisations. DORA aims to address these threats by enhancing the resilience of digital systems and fortifying defences against cyber incidents.
- Navigating complex digital ecosystems
The interdependencies within these complex systems create vulnerabilities that can be exploited by cyber adversaries. DORA seeks to mitigate these risks by promoting a coordinated approach to digital resilience.
- Patching fragmented regulatory landscapes
DORA provides a unified approach to previously fragmented processes, streamlining regulatory requirements across EU Member States and fostering greater cooperation among supervisory authorities.
- Stabilising the criticality of financial services sector
The financial services sector plays a pivotal role in the economy and society, making it a prime target for cyber-attacks. DORA recognises the criticality of the financial services sector and aims to bolster its resilience against cyber threats through enhanced regulatory oversight.
- Aiding digital transformation
Organisations must take a considered approach to digital transformation if they want to stay competitive. By adjusting regulations to keep pace with technological evolution, DORA will ensure the resilience and security of the digital systems.
How will DORA be enforced?
From 17th January 2025, enforcement will be actioned from designated regulators in each EU member state, known as “competent authorities”. Meanwhile in the UK, HM Treasury, in consultation with financial regulators, will allocate third parties to firms categorised as “critical”.
These authorities will monitor compliance, require organisations to right vulnerabilities, and impose administrative penalties. In some cases, they may also pursue criminal sanctions against organisations demonstrating repeat non-compliance. Each member state can make independent judgements on the severity of these penalties.
What happens in the event of non-compliance?
Failing to comply with DORA can have serious consequences. Regulatory entities can impose fines on non-compliant businesses that amount to one percent of the firm’s average daily worldwide turnover in the previous business year. Moreover, this fine can be imposed daily for up to six months until the business reaches compliance.
External expertise on the path to DORA compliance
Whilst the introduction of the new legislation, and the looming January 2025 deadline, may seem daunting, DORA is also an opportunity to reconcile organisations’ approach to digital resilience.
Whilst there will undoubtedly be new complexities to navigate, affected entities can enlist the support of specialist firms who provide comprehensive gap assessments. These appraisals identify an organisation’s security shortcomings, highlight areas for improvement, and support the continued development of their operational resilience.
The new requirements are also accompanied by a significant emphasis on third-party risk management, so the sooner firms establish close collaboration with critical ICT service providers, review existing contracts and prepare new contracts to comply with DORA, the better. As the old adage goes: fail to prepare, and prepare to fail!