It’s almost time. After several years in the making, the long-awaited compliance deadline for the EU Digital Operational Resilience Act (DORA) is finally here. After Friday, January 17, non-compliant organizations serving customers inside the bloc could theoretically be hit with multimillion-euro fines. The repercussions will be felt not just within Europe, but globally.
Analysts are warning, however, that many in-scope businesses may fail to meet the deadline. No matter. DORA offers a fantastic opportunity for banks and IT service providers to improve operational resilience and bolster customer trust. For that reason alone, efforts should be redoubled to fast-track compliance plans.
Why DORA, why now?
Financial services touch every aspect of our lives. But that dependence creates potential risks for societies and national economies. Last year, a report from the International Monetary Fund (IMF) warned that more than 20,000 cyber-attacks on the sector have caused losses exceeding $12bn over the past 20 years. It claimed that “extreme losses” have more than quadrupled since 2017 to $2.5bn.
But improving cyber-resilience isn’t just about mitigating these economic losses. A serious attack could undermine trust in the financial system itself, the IMF warned, potentially leading to bank runs. That’s why the European Commission wants the industry to boost its ability to withstand the operational impact of serious security breaches.
DORA is built on five pillars:
IT risk management: Proactive measures to monitor and mitigate risk, with active oversight from senior management. This should include things like patching and continuous monitoring for suspicious activity, as well as disaster recovery and business continuity.
Data protection is also key. Article 9, paragraph 2 of DORA, states that complying organizations must “maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.”
Incident management and reporting: Processes to log all incidents, determine major incidents and submit reports to the relevant authorities in a standardized manner.
Supply chain risk management: Close monitoring of third-party risk, including due diligence on ICT providers, to ensure suppliers are as secure and resilient as their financial services partners.
Resilience testing: Periodic testing of ICT risk management frameworks, including tabletop exercises, vulnerability assessments and penetration testing.
Information sharing: Promoting anonymous sharing of threat intelligence among the financial services community.
The direction of travel
According to Forrester senior analyst, Madelein van der Hout, some organizations “are still in the process of addressing gaps and scaling up their efforts.” She stresses urgency in these compliance initiatives—not just because financial institutions could be fined €10m or 2% of global turnover, but because regulators have the power to suspend business activities until in-scope businesses achieve full compliance.
“There’s also reputational damage to consider,” she adds in a message circulated to the media. “Violations of DORA can erode customer trust and investor confidence, leading to long-term financial consequences that go beyond fines.”
Indeed, compliance isn’t just about avoiding fines. As van der Hout argues, what becomes law in the EU is often adopted by organizations for all their global customers, as it is easier to do so.
“Companies in North America and APAC will likely align their practices with DORA to remain competitive, ensure interoperability with EU clients, and strengthen their operational resilience,” she explains.
This is the positive case for compliance. By following best practices for cyber resilience as laid down in DORA—including strong data protection—organizations can build customer trust and even differentiate globally. That’s a powerful argument for regulatory compliance and cybersecurity as a growth enabler. The journey should start today.
