The Digital Operational Resilience Act (DORA) is now officially in effect across the European Union. This regulation establishes a unified framework to strengthen Information and Communication Technology (ICT) risk management within the financial sector. Consequently, banks and financial institutions have revamped their internal systems to comply with the requirements, aiming to enhance resilience and safeguard sensitive personal data.
A New Era for Operational Resilience
Grant Harper, Global Lead for Financial Services at ITRS, emphasized the significance of DORA, stating, “DORA comes at a time when scrutiny over operational resilience continues to intensify. Operational resilience is not just about ticking regulatory boxes, it is about safeguarding reputation and maintaining trust in a competitive market.”
Over the past decade, the increasing complexity of the banking sector due to digital transformation has heightened the need for robust cybersecurity and risk management protocols. DORA addresses this by setting clear requirements for cybersecurity measures, resilience strategies, risk monitoring, and oversight.
Challenges in DORA Compliance
Since coming into effect yesterday, DORA continues to face challenges. Simon Treacy, Senior Associate for Financial Regulation at Linklaters, has highlighted ongoing uncertainties surrounding its implementation:
“A significant challenge is that the DORA rulebook is still not finalised. Firms will need to be ready to respond to last-minute changes, especially those that impact contracts with IT providers.
“The European legislators are still working on detailed rules related to subcontracting ICT services and threat-led penetration testing. Guidance from the European Commission on the scope of ‘ICT services’ under DORA is also expected. Depending on the outcome, firms may need to extend their implementation projects.”
Treacy also noted that DORA compliance is not a one-time task but an ongoing process that will evolve with each firm’s internal operations.
Investment in DORA Preparation
According to research by Rubrik Zero Labs, 47% of financial organisations in the UK have already invested over €1 million in preparing for DORA compliance, while 28% have spent between €501,000 and €1 million. The study also revealed that 46% of financial institutions identified ransomware as the greatest threat to their security.
Carl Leonard, Cybersecurity Strategist for EMEA at Proofpoint, emphasized the importance of sustained efforts post-implementation:
“As we move past the deadline, organizations should not diminish their efforts. A critical, and often overlooked, aspect of maintaining resilience is continuous risk assessments. This is especially crucial when integrating new technologies, services, or third-party suppliers. Thorough due diligence and proactive risk evaluation are essential to avoid new vulnerabilities and maintain a strong security posture.”
Leonard further stressed the need for maintaining “cyber hygiene” and robust security practices, particularly as companies incorporate modern technologies such as AI-powered solutions.
Concerns Over DORA’s Impact
In December 2024, the World Federation of Exchanges (WFE) raised concerns with the European Commission about the potential discriminatory impact of certain DORA provisions. This adds another layer of complexity to the regulation’s rollout.
Looking Ahead
Now that DORA is in effect, its impact extends beyond initial compliance efforts. Financial institutions must take a proactive stance on cybersecurity, resilience, and regulatory alignment to ensure their operations remain secure in an increasingly digital and interconnected landscape.
Comments