Numbers never lie. The second most targeted industry in terms of hacking and breaches is Finance, which was the victim somewhere in the realm of 2,306 to 2,792 cyberattacks in 2023 (depending on the source). With each data breach costing an average of $6.08 M (+3.05% YoY), it’s clear that this is a top priority for InfoSec and Compliance leaders alike. These compromises (cyberattacks + system and human errors) affected 61 million people in 2023, which represents a skyrocketing increase of 258% since 2018.
Despite the growing number of regulations and processes set in place to control and protect the sector, financial services organizations have the highest average number of exposed sensitive files ( 450,000), and more than 64% of these companies have more than 1,000 critical files accessible to any employee.
To respond to the permanent cyber threats, the EU has enacted the Digital Operational Resilience Act, known by its acronym, DORA.
What is DORA?
The Digital Operational Resilience Act will come into effect on 17 January 2025. This act is a response to the growing vulnerability of financial institutions to cyberattacks as they integrate more technology into their operations. This sector’s digital operational resilience is crucial, as poorly managed information and communications technology (ICT) risks can lead to disruptions in cross-border financial services, affecting various industries and broader society.
Thus, the purpose of DORA is to fortify the IT security of financial institutions like banks, insurers, investment firms, payment providers and their ICT services to ensure the European financial sector remains solid in the event of major operational disruptions.
As part of the EU Digital Finance Package adopted in 2020, DORA complements other European regulations like GDPR and the NIS Directive, contributing to a safer and more resilient financial ecosystem.
Who needs to comply with DORA?
It is estimated that 22,000 European financial companies, ICT service providers, and also supportive ICT structures outside the EU shall abide by DORA.
How does DORA work?
As DORA’s regulatory requirements continue to evolve, financial institutions must implement a strong framework for operational resilience, risk management and incident response. The growing complexity of regulatory obligations and the need for efficient, interconnected compliance across the financial sector demand a unified and automated approach to managing resilience and risk.
DORA standardizes operational resilience regulations for 20 diverse types of financial entities and ICT third-party service providers within the financial sector.
The act covers six key pillars:
1. Digital operational resilience testing
- Low-level and high-level testing
2. ICT-related incidents
- Core requirements are outlined for information and communications technology
- Incident reporting obligations for major ICT disruptions
3. ICT risk management
- Guiding principles and regulatory requirements for ICT risk management
4. ICT third-party risk management
- Monitoring third-party service providers
- Critical contractual clauses
5. Information sharing
- Cyber threat intelligence exchange
6. Oversight of critical third-party providers
- Regulatory framework for critical third-party ICT services
Penalties for not complying with DORA
Failing to comply with the Act’s requirements can lead to serious financial consequences for the following parties:
- Companies: Up to 2% of the total annual worldwide turnover OR up to 1% of the average daily turnover globally
- Individuals: Up to €1,000,000
- Third-party ICT service providers: Up to €500,000 for individuals; €5,000,000 for companies
Challenges in complying with DORA
Rome wasn’t built in a day, and neither will your operational resilience. DORA’s wide scope, covering various financial entities and third-party providers, presents significant compliance challenges, especially for smaller firms.
- Implementation complexity: DORA requires financial institutions to overhaul their operational frameworks, often involving integrating new systems for risk management and incident reporting
- Third-party risk management: DORA’s strict oversight of third-party providers increases complexity, mainly when dealing with large, global service providers
- Cyber incident reporting: DORA’s strict reporting requirements, especially the tight timelines for initial and intermediate notifications, can be challenging to meet, particularly during large-scale cyberattacks
- Resource intensity: Compliance with DORA demands significant financial and human resources, including hiring new staff, investing in technology, and ongoing training. Smaller firms may face particular challenges
- EU-wide compliance and enforcement: Enforcing uniform compliance across EU member states, each with their own regulatory framework, can be challenging for multi-national firms. Coordinating with national authorities adds administrative burdens
- Operational resilience testing: Continuous testing of ICT systems, including penetration testing and stress testing, is resource-intensive and can disrupt operations if not managed carefully
- Evolving cyber threat landscape: Keeping pace with the evolving cyber threat landscape while adhering to DORA’s strict requirements requires constant vigilance
- Data protection and privacy: Incident reporting and monitoring involve handling sensitive data, requiring compliance with DORA and the GDPR
- Coordination with existing regulations: Aligning DORA with current international and national regulations without creating overlaps or conflicts is a complex task
Your next steps
As mentioned earlier, the Act will become effective in mid-January 2025. However, you can already plan your actions to avoid any last-minute inconvenience. Entrusting specialized technology to meet DORA’s requirements can save you a lot of hassle and rush.
NAVEX One, a leading GRC platform, enables financial organizations to meet these critical requirements. Through centralized processes, advanced data intelligence, and tailored solutions, NAVEX helps financial institutions of all sizes achieve compliance and operational resilience.
Ready to learn more about how to comply with DORA and how NAVEX can help? Download our playbook now!
