What's in DORA's backpack?
Gain an understanding of your DORA compliance by taking our DORA Readiness Quiz.
What’s in DORA’s backpack?
The new Digital Operational Resilience Act (DORA) will be enforced from 17 January 2025, but what could it mean for you?
Let’s delve into DORA’s backpack to learn more about the scope of the act, its requirements, the price of non-compliance – and what the implications are for your business.
If there’s one thing that creates FUD (fear, uncertainty and doubt) it would have to be a raft of new regulations coming into force in six-months’ time – but there’s no need to panic. At Cydea we firmly believe DORA could be a positive thing. Here’s why:
The act has been written with a risk-based approach – risk is our speciality, as it happens – and this is precisely what the financial sector needs. The cyber security risks to financial entities are constantly evolving, and we think DORA is the girl you need to protect your customers, and your organisation.
DORA was created in response to the growing digitalisation of the financial sector. Think about it, were you managing your money through an app even five years ago? When was the last time you walked into a bank branch? Meanwhile, organisational reliance on third-party services and cloud providers has increased dramatically.
At the same time, the frequency and severity of cyber incidents is increasing year by year. So, we have a far greater attack surface and more motivated, sophisticated attackers. Suddenly some stricter protections start to sound like a good idea, don’t they?
Are you within DORA’s scope?
DORA’s primary goals are twofold: to enhance the operational resilience of financial institutions, and to provide a unified regulatory framework to reduce fragmentation across the EU.
The act applies to a wide range of financial entities, such as banks, payment service providers, investment firms and insurance companies, among many others.
Importantly, the act also applies to all third-party information and communications technology (ICT) service providers supplying vital services to these institutions. This includes outsourced technology providers, endpoint suppliers, managed service providers, cloud-based platform hosts, software vendors, contractors, and more.
While DORA is an EU framework, its reach extends beyond those borders. If you are a UK-based financial entity that operates in the EU, or a UK subsidiary of an EU-based firm, you will need to comply.
Additionally, if you’re a UK-based company providing critical ICT services to a UK-based financial institution that also does business in Europe, or to an EU-based financial institution, you will also need to comply.
What are DORA’s requirements?
DORA is structured in five key pillars, each of which defines specific elements designed to bolster digital operational resilience. Here are the headlines:
- ICT Risk Management
- Financial entities must establish robust governance frameworks, including comprehensive policies and procedures and conduct regular and thorough risk assessments.
- ICT Incident Response and Reporting
- There will be mandatory, detailed reporting of significant ICT-related incidents within a specific timeframe.
- Digital Operational Resilience Testing
- Organisations will be required to implement regular testing schedules, including vulnerability assessments and penetration testing. In some cases, independent third-party assessments may be mandated.
- Third-Party ICT Provider Risk Management
- More rigorous due diligence processes and specific contractual arrangements will be required, in addition to ongoing monitoring and reviews of third-party providers.
- Information Sharing
- Financial institutions will be encouraged to share intelligence on cyber threats and vulnerabilities within their sector.
What if I don’t comply?
Due to the regulated nature of the financial services industry – and the potentially catastrophic impacts if a serious cyber incident were to occur – there are stiff penalties for entities within scope failing to comply with DORA.
Unsurprisingly, there are significant fines for failure to comply:
- Fines can be up to 2% of the total annual worldwide turnover, or 1% of the average daily worldwide turnover for the duration of non-compliance.
- If an individual is found to be responsible for non-compliance resulting in an incident, the maximum fine is €1 million.
- Third-party suppliers of critical ICT-related services may face fines of up to €5 million.
- If an individual at a third-party supplier is found to be responsible for non-compliance resulting in an incident, the maximum fine is €500,000.
In addition to fines, financial institutions may be forced to pay compensation to customers or third parties for any damages resulting from an instance of non-compliance.
Regulatory authorities also have the power to require non-compliant organisations to take remedial measures to address any weaknesses or failures in their operational resilience. Public shaming is also a possibility; regulators have the right to openly reprimand financial entities that fail to comply with DORA requirements.
Ultimately, regulatory authorities have the right to withdraw the authorisation of any financial entity that repeatedly fails to comply with the requirements of the new act.
Penalties for non-compliance are established by the European Supervisory Authorities (ESAs) and are designed to enforce compliance, ensuring that financial entities and their critical technology service providers maintain robust digital operational resilience.
What does it all mean for my business?
In short, from 17 January 2025, the act is going to have a number of direct impacts on the financial sector, and demand a more proactive approach from businesses.
If you’re in any way connected to the financial sector in the EU, it’s likely you will need to make adjustments to your security arrangements. Daily operations will need to incorporate more rigorous testing, reporting, and third-party management practices.
Cyber security professionals will also be held to higher standards of accountability for risk management. Additionally, cyber professionals and organisations will need to invest in continuous learning and upskilling to keep up to date with the latest threat landscapes, testing methodologies, and compliance requirements.
There will also be a greater emphasis on collaboration between financial entities and regulatory bodies to share threat intelligence and improve collective resilience. Importantly, this means cyber security professionals may in future be able to take a more strategic role in shaping risk management frameworks and resilience strategies.
So, while the consequences of non-compliance can be severe, there’s no reason to dread DORA; it could be simpler than you think to gain compliance for your organisation.
Gain an understanding of your DORA compliance by taking our DORA Readiness Quiz.
If you’d like to know more about how DORA could impact your business, or what you will need to do to ensure compliance, there are lots of ways Cydea can help.
And stay tuned next week for a closer look at how the new act is different from ISO 27001.