The EU\u2019s Digital Operational Resilience Act (DORA) regulation came into full effect on January 17, 2025, two years after its official adoption.<\/p>\n\n\n\n
The regulation aims to strengthen the resilience of the financial sector against various digital risks, including cyber threats and technology failures.<\/p>\n\n\n\n
It establishes a comprehensive framework that requires financial institutions to put in place robust operational resilience measures and to be better prepared for and able to respond to ICT (Information and Communications Technology) disruptions. <\/p>\n\n\n\n
Key provisions of the Act include Risk Management, Incident Reporting, Testing and Audit, and Third-Party Risk Management.<\/p>\n\n\n\n
But what does DORA mean, practically, for businesses, and what do they need to be mindful of?<\/p>\n\n\n\n
Tiernan Connolly, MD, Cyber and Data Resilience practice at Kroll<\/strong><\/p>\n\n\n\n \u201cDORA explicitly requires organisations to first identify their critical business processes, and then map them to the underlying technology assets, as well as third parties that support them. This essentially guides firms towards identifying critical dependencies and risk, and ensuring real-time monitoring, as well as regular testing of these dependencies, is in place.<\/p>\n\n\n\n \u201cDORA is set to influence the cybersecurity landscape by mandating higher transparency in incident reporting, harmonising testing standards like red teaming, and enforcing stringent third-party risk management protocols. These changes will prompt businesses to adopt proactive and sustainable resilience measures, reducing long-term risks and enhancing digital operational integrity.<\/p>\n\n\n\n \u201cWhile DORA is currently getting a lot of attention, there is, of course, another EU regulation on the horizon: the EU Cyber Resilience Act, which will undergo a phased implementation culminating in full applicability by 2027. Its primary focus is on building robust security and vulnerability management mechanisms into vendors\u2019 development and post-sale support processes for products with digital elements. This will complement DORA by ensuring vendors are also accountable for securing the products which enterprise organisations consume.\u201d<\/p>\n\n\n\n Joe Vaccaro, head of Cisco ThousandEyes<\/strong><\/p>\n\n\n\n \u201cWhat\u2019s key about DORA is the broadening of digital resilience to include the ICT suppliers that financial services companies rely on to deliver their services to customers. <\/p>\n\n\n\n \u201cIn an Internet-centric architecture, you can\u2019t go and reboot the Internet. So businesses need a new operational posture to manage disruptions. They need to understand what their hidden dependencies are. For example you might be using a third-party service for voice and messaging features in your application, but do you know the dependencies of that service, like which cloud provider it\u2019s hosted on? <\/p>\n\n\n\n \u201cFor financial services organisations, this means they will need to understand how they can discover and inventory their third-party dependencies, to map them, and to deploy processes to track that connectivity on an ongoing basis. <\/p>\n\n\n\n \u201cNot just financial transactions but all digital experiences today are powered by a digital supply chain that spans across owned and unowned networks. While DORA may apply to the financial services sector, achieving digital resilience in the face of disruptions is a boardroom issue no matter what industry you\u2019re in.\u201d <\/p>\n\n\n\n Andre Troskie, EMEA field CISO, Veeam\u00a0\u00a0<\/strong><\/p>\n\n\n\n \u201cAt a minimum, organisations need to ensure that third-parties implement robust risk management processes. As part of this, organisations need to require the renegotiation of all third-party service level agreements (SLAs) to cement DORA compliance as an essential prerequisite for work. Although time-consuming, organisations can\u2019t afford to underestimate the importance of securing third-party compliance.\u201d<\/p>\n\n\n\n Richard Lindsay, principal advisory consultant at Orange Cyberdefense<\/strong><\/p>\n\n\n\n \u201cRemaining non-compliant is likely to have severe ramifications. Firstly, the financial services industry is an attractive target for bad actors, and the likelihood of breach has never been higher. Secondly, DORA is not toothless \u2013 fines of up to 1% of worldwide daily turnover and over \u20ac1m for individual senior leadership are significant and can certainly be used by IT and security leaders to reiterate the importance of cybersecurity and compliance to the board. <\/p>\n\n\n\n \u201cAll in all, DORA doesn\u2019t mandate anything by way of revolutionary requirements. Most can be addressed by investing in comprehensive cyber risk assessments, integrated incident reporting, cyber resilience testing and cross-framework governance. However, amid the tangle of new regulations, it\u2019s understandable that many firms are taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible.\u201d<\/p>\n\n\n\n Desre Sheen, head of UK Financial Services Consulting Practice at Capgemini<\/strong><\/p>\n\n\n\n \u201cFinancial institutions are signalling that they have achieved the minimum required for compliance. However, the main challenge will be sustaining and evolving the underlying culture over time. Additionally, all plans need to be living documents, as the definition of a critical business service may change. It’s also important to be mindful that all regulations require a certain level of interpretation, and that means not every firm will be equally compliant.\u201d<\/p>\n\n\n\n John Smith, Veracode EMEA CTO <\/strong><\/p>\n\n\n\n \u201cAmong the steps organisations will need to take, a key one will be implementing a comprehensive digital operational resilience testing program that encompasses a wide range of testing methodologies to thoroughly assess their systems’ security and resilience. Regular vulnerability assessments and scans are crucial for organisations to identify potential weaknesses in software systems. It is also vital to conduct open-source analyses to evaluate the security and license risks associated with any open-source components integrated into their applications. <\/p>\n\n\n\n \u201dDORA also mandates threat-led penetration testing (TLPT) for critical systems. To comply with this requirement, organisations should start by identifying all relevant ICT systems, processes, and technologies that support their critical functions and operations, including those outsourced to third-party providers and assess which functions need to be covered by the penetration tests. <\/p>\n\n\n\n \u201cBeyond the mantra of test, test, and test again, DORA emphasises ICT security awareness and training. Organisations should implement compulsory ICT security awareness programs and digital operational resilience training for all employees, including senior management. These programs should be tailored to match the complexity of different roles and responsibilities within your organisation, and should include software security best practices, with a focus on secure coding practices and their importance in maintaining overall security.\u201d<\/p>\n\n\n\n Tim Wright, partner and technology lawyer at Fladgate<\/strong><\/p>\n\n\n\n \u201cSmaller firms in particular face greater challenges due to resource constraints and the complexity of DORA’s 500-plus requirements, as well as having to deal with a wide range of third-party service providers. This is compounded because DORA casts such a wide net catching a wide range of providers who do not supply typical IT service and are often seeing firms gold plating DORA\u2019s extensive requirements and taking a one-size fits all approach. Where a firm faces issues meeting full compliance by the deadline, they should demonstrate good faith efforts and maintain open communication with regulators. Authorities are likely to take a targeted approach to enforcement, focusing on significant and visible breaches.<\/p>\n\n\n\n \u201cIn terms of potential punitive measures for non-compliance, it\u2019s the usual EU approach of less carrot, more stick, with the risk of mega fines for the worst cases. On top of that, periodic penalty payments of up to 1% of average daily worldwide turnover can be imposed for continued non-compliance, lasting up to six months. Other potential sanctions include public reprimands, business activity restrictions and potential license suspensions.<\/p>\n\n\n\n \u201cWhile the initial implementation costs will be substantial, especially for smaller firms (relatively speaking). The expectation is that the longer-term benefits of enhanced operational resilience and improved risk management will pay back the investment as implementation will lead to a more secure and resilient financial ecosystem. DORA will also create a surge in demand for cybersecurity professionals, particularly those with expertise in financial sector regulations and ICT risk management, but in the longer term, the increased demand presents significant opportunities for career advancement and recognition for cybersecurity professionals.\u201d <\/p>\n\n\n\n Bob Wambach, VP Product Portfolio at Dynatrace<\/strong><\/p>\n\n\n\n \u201cCompliance will only take banks so far. Financial services firms both in Europe and the UK must be prepared not just to meet the baseline requirements of DORA, but to empower their teams to respond instantly to operational disruption and cyber incidents. This means going beyond checkbox compliance measures. Organizations must prioritise continuous testing of their services and embrace a culture of resiliency first. Converging observability and security data to support real-time, AI-powered anomaly detection is the optimal way to rapidly assess risks before they escalate into full-blown incidents that breach compliance thresholds and leave customers exposed. <\/p>\n\n\n\n \u201cIt remains to be seen how strictly EU regulators will enforce the rules surrounding DORA, but one thing is certain: no financial institution wants to be the first to fall short.\u201d <\/p>\n\n\n\n Andrew Rose, CSO at SoSafe<\/strong><\/p>\n\n\n\n \u201cFor many organisations within financial services and ICT, industries that have been a key target for cyber criminals in recent years, the impact of DORA should be minimal. These industries have already developed cyber maturity to defend themselves and adhere to regulatory scrutiny, prioritising areas such as risk governance, incident response, operational resilience testing, and 3rd party risk management \u2013 requirements that DORA will now enforce. <\/p>\n\n\n\n \u201cHowever, for previously unregulated firms that will now fall into the scope of DORA, such as credit rating agencies and certain types of exempt lending, factoring, and mini-bonds, and those associated with new financial models, such as crypto exchanges and peer-to-peer lending platforms, they will experience a new level of control requirements. There is no reason for alarm however as DORA simply requires a sensible level of controls across a wider scope, and given the losses we have seen from many crypto firms (more than $2b lost in 2024) this cannot come soon enough.<\/p>\n\n\n\n \u201cGiven that the majority of cyber breaches originate from human error, oversight and omission, any attempt to extract real value from becoming compliant with regulations such as DORA will only be effective if supplemented with awareness, education and training for both users, their families and customers. Technologies used by attackers are developing at pace and while compliance is essential, empowering our people to become our first line of defence must also be a priority.\u201d<\/p>\n\n\n\n Want to learn more about cybersecurity and the cloud from industry leaders? Check out\u00a0Cyber Security & Cloud Expo<\/a>\u00a0taking place in Amsterdam, California, and London.\u00a0Explore other upcoming enterprise technology events and webinars powered by TechForge\u00a0here<\/a>.<\/em><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":" The EU\u2019s Digital Operational Resilience Act (DORA) regulation came into full effect on January 17, 2025, two years after its official adoption. The regulation aims to strengthen the resilience of the financial sector against various digital risks, including cyber threats and technology failures. It establishes a comprehensive framework that requires financial institutions to put in […]<\/p>\n","protected":false},"author":57372,"featured_media":97532,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[499,1,497,501,496,502,18,30,29,3],"tags":[185,306],"ppma_author":[882],"class_list":["post-103725","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-computing-banking-finance","category-cloud-computing","category-cloud-computing-companies","category-cloud-computing-digital-transformation","category-cloud-computing-enterprise","category-cloud-computing-future-work","category-cloud-computing-industries","category-cloud-computing-infrastructure","category-cloud-computing-regulation-government","category-cloud-computing-security","tag-cybersecurity","tag-finance"],"acf":[],"yoast_head":"\n