European Union to Introduce DORA- Digital Operational Resilience Act from January 2025
By January 2025, banks and their technology suppliers across the European Union will face compliance requirements under the Digital Operational Resilience Act (DORA) . This legislation aims to safeguard the financial industry’s ability to handle significant IT disruptions. This regulatory framework is set to become a cornerstone in maintaining stability within the financial sector.
Key Facts:
- The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025.
Our website does not collect, store, or share any user data. If you enjoy our content and value your privacy, consider supporting us.
- It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.
- DORA brings harmonisation of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers.
New European Union Regulation
The Digital Operational Resilience Act (DORA) mandates that banks, insurance companies and investment firms enhance their IT security structures. The central goal of this EU regulation is to ensure that the financial services sector remains resilient amid severe operational disturbances, such as ransomware attacks or Distributed Denial of Service (DDoS) assaults.
DORA’s reach is critical in avoiding significant outages, akin to the recent IT meltdown triggered by CrowdStrike’s erroneous software update, which caused Microsoft Windows to malfunction globally. Financial giants like JPMorgan Chase, Santander, Visa, and Charles Schwab experienced service outages that took hours to mend. Under DORA, such outages would come under intense regulatory scrutiny.
Why DORA Matters
DORA aims to mitigate the risks posed by third-party tech vendors. This need became glaringly evident following incidents like the CrowdStrike update. Moving forward, financial firms must employ rigorous IT risk management, incident classification and reporting, resilience testing, and cyber threat information sharing.
An exceptional feature of DORA is its requirement for banks to scrutinize and manage risks associated with their tech suppliers. As Mike Sleightholme from Broadridge International points out, this regulation emphasizes not just bank operations but also the critical digital services provided by third-party vendors.
DORA officially took effect on January 16, 2023. However, the enforcement by EU member states will commence on January 17, 2025. This timeline suggesting the EU’s focus on the financial sector’s technological dependencies, which currently magnify vulnerabilities to cyberattacks and related incidents.
According to Stakeholders like Stephen McDermid from Okta, financial firms are aligning their internal resilience and third-party risk programs to meet DORA standards and addressing any existing compliance gaps.
Consequences of Non-Compliance
Firms that fail to comply with DORA could face steep fines, up to 2% of their annual global revenues. Individual executives may also be penalized, with potential fines reaching 1 million euros.
For tech suppliers, fines can be as high as 1% of their average daily global revenue from the prior year. Furthermore, third-party IT providers deemed essential by EU authorities might incur fines up to 5 million euros, or 500,000 euros for individual managers.
Despite significant strides towards compliance, financial firms and tech vendors still face hurdles. Fredrik Forslund of Blancco indicates that while the industry has made considerable progress, it remains a work in progress. The push continues to fully comply by the January deadline, but challenges persist.
The Road Ahead
DORA signifies a substantial shift in regulatory expectations around digital resilience in the financial sector. The act underscores the necessity for both internal security enhancements and robust third-party risk management. As the deadline approaches, the concerted efforts of financial firms to meet these rigorous standards will be crucial in fortifying the entire financial ecosystem against cyber threats and operational failures.
Do you want to share your professional opinion and inspire our readers ? YOUR EXPERTISE could be paving the way for a fairer society and progress.