Paulina Twarogal
The financial sector’s reliance on digital technology and ICT (Information and Communication Technology) has grown significantly in recent years. However, this growing dependence has also led to greater exposure to significant cyber threats and operational disruptions.
To address these concerns, the European Union has introduced the Digital Operational Resilience Act which was a crucial step towards enhancing digital resilience in the financial sector.
Keep reading to learn more about this regulation, why it matters, the consequences of non-compliance, and how financial organizations can prepare for it.
Key takeaways:
- The Digital Operational Resilience Act, effective January 17, 2025, aims to strengthen digital resilience and enhance the ability of financial institutions to withstand cyberattacks and operational disruptions.
- It applies to a large number of financial institutions and ICT service providers, over 22,000 in the EU.
- It covers five areas: ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing.
What is the Digital Operational Resilience Act?
The Digital Operational Resilience Act is an EU regulation that sets a new standard for ICT risk management in the financial sector. It comes into force on 16 January 2023 and will apply from 17 January 2025.
At its core, it aims to build a resilient financial ecosystem that can handle technical issues and cyber threats effectively. By establishing clear and consistent rules across all member states, it ensures that banks, insurance companies, and other financial institutions can operate without disruption, even in the face of technical problems or cyber threats. The Digital Operational Resilience Act also applies to key third-party providers, such as cloud services and data analytics services.
The organizations that fail to comply in time will face harsh penalties. However, following DORA doesn’t just mean avoiding fines; it’s a chance to boost how financial institutions handle cyber threats and recover from problems. This regulation shows the EU’s dedication to close supervision with a focus on regular reporting and clear communication.
Why is this regulation relevant?
Given that currently there’s no unified framework for managing and mitigating ICT risks in the European financial sector, the Digital Operational Resilience Act becomes groundbreaking. The regulation stands out because it:
- Applies to over 22,000 financial entities and ICT service providers operating in the EU.
- Introduces new and clear requirements for all financial institutions.
- Addresses regulatory gaps and conflicts between different EU states and makes it easier for financial institutions to follow the rules.
- Establishes a comprehensive framework for risk management, operational capabilities, and third-party management.
- Ensures the stability and integrity of the EU’s financial system, considering the entire value chain.
- Introduces EU-wide supervision of key external ICT service providers.
What financial institutions must comply?
The Digital Operational Resilience Act will impact all financial organizations subject to EU regulation such as:
- banks
- investment firms
- insurance companies
- payment service providers
- credit institutions
- stock exchanges and trading venues
- crypto-asset providers
- pension funds
- reporting service providers
- cloud service providers
- third-party ICT service providers
The 5 pillars of the Digital Operational Resilience Act
The regulation provides a clear framework to enhance the digital and cybersecurity resilience of financial systems across European markets. It focuses on five key areas to strengthen how financial institutions manage and respond to digital risks.
Pillar 1: ICT risk management
ICT risk management is the foundation of the Digital Operational Resilience Act. Financial institutions are required to develop, implement, and maintain strong ICT systems and protocols. These include secure networks, encrypted databases, and regular backups. By setting up detailed risk assessment processes, businesses can identify potential weaknesses in their digital operations.
However, responding to these incidents is not the only aim. It’s crucial to actively manage and reduce ICT-related risks. Developing a clear ICT risk management strategy ensures businesses are ready for and can swiftly address any disruptions or threats.
Key requirements under the Digital Operational Resilience Act include:
- Determining acceptable levels of risk and impact from ICT disruptions.
- Planning and approving strategies to keep the business running during disruptions.
- Creating disaster recovery plans for handling and recovering from major incidents.
- Setting up security measures to protect important digital assets and resources.
Pillar 2: ICT incident reporting
The second pillar focuses on standardizing how financial institutions report major ICT-related incidents. The established centralized reporting hub for incidents like system outages, cyberattacks, and data breaches will help gather data and identify common issues across the sector, strengthening overall resilience.
To comply, financial institutions need to have systems for monitoring and reporting these incidents both internally for management and mitigation. They must also report externally to EU authorities and, when necessary, to affected customers. A root cause report must be submitted within a month of any major incident to ensure transparency and identify common risks.
Pillar 3: Digital operational resilience testing
All financial institutions are required to regularly test their ICT systems to ensure they can handle disruptions. Key requirements include:
- Performing annual ICT tests on the ICT tools and systems.
- Identifying, mitigating, and eliminating any weaknesses and issues by implementing counteractive measures.
- Conducting advanced threat-based penetration testing (TLPT) for ICT services that affect critical functions.
- Requiring external ICT service providers to participate in and fully cooperate with testing activities.
Pillar 4: Third-party risk management
The Digital Operational Resilience Act also applies to ICT providers that support the financial sector. Financial institutions must actively manage risks related to these third-party services. When outsourcing crucial functions, they need to set clear terms in contracts for things like exit strategies, audits, and security. They can only work with providers who meet these standards, and authorities have the power to suspend contracts if providers don’t comply.
Institutions must track their ICT dependencies and avoid relying too heavily on any single provider. Critical ICT service providers will be monitored directly by European Supervisory Authorities (ESAs). These authorities will ensure compliance and can ban providers that don’t meet these requirements from working with financial firms.
Pillar 5: Information and threat intelligence sharing
This pillar highlights the need for financial entities to learn from ICT incidents by sharing information. They are encouraged to join voluntary threat intelligence networks to improve their understanding and response to cyber risks. However, any shared data must be safeguarded in accordance with regulations, such as protecting personal information under the General Data Protection Regulation (GDPR).
The timeline of the Digital Operational Resilience Act
The timeline below highlights the major milestones in the history of the Digital Operational Resilience Act.
Current status of DORA
Even though it has been officially adopted, the European Supervisory Authorities are still finalizing the detailed regulations. These rules, which will guide how the Digital Operational Resilience Act is implemented, are expected to be completed in 2024. The European Commission is also working on a framework to oversee critical ICT providers. It will be finalized in 2024 as well.
Penalties for non-compliance with DORA
Financial institutions and ICT providers can be fined up to 2% of their global turnover. Companies can also be fined 1% of their daily global turnover, every day, until they become compliant. In extreme cases, non-compliance can even lead to a temporary shutdown. High-ranking or responsible individuals within financial entities (e.g. CEOs, CFOs, CTOs, and board members) who violate the regulations or fail to meet compliance obligations can be fined up to EUR 1 million for violations.
Critical third-party ICT service providers can face fines up to EUR 5 million. In the case of an individual within these entities, the maximum fine is EUR 500,000 for non-compliance with the act’s requirements.
Each EU member state has the authority to impose additional penalties, including audits, suspensions, cease-and-desist orders, or even public notices. Penalties can be both administrative and, in some cases, criminal.
Financial institutions | Third-party ICT providers | |
Basic penalty | Up to 2% of global turnover | EUR 5 million |
Additional penalty | 1% of daily global turnover until compliant | 1% of daily global turnover until compliant |
Penalty for individuals within these entities | EUR 1 million | EUR 500,000 |
Potential operational impact | Possible temporary shutdown | Suspension or cease-and-desist orders |
Key challenges of a successful DORA compliance journey
The path to compliance with the Digital Operational Resilience Act presents major challenges for financial institutions. These challenges, gathered from business testimonies at the conference organized by PwC France in 2022, include:
- Understanding DORA’s regulatory approach.
- Starting early to meet the January 2025 deadline.
- Adapting governance and management buy-in.
- Engaging all key stakeholders in the process.
- Leveraging existing resilience initiatives.
- Sharing cyber threat information across the industry.
- Reviewing relationships with ICT service providers.
- Testing resilience regularly.
- Developing a culture of operational resilience throughout the organization.
Preparing for DORA compliance: A checklist for IT leaders
Bringing the Digital Operational Resilience Act to life is challenging for financial institutions and third-party ICT providers. We have created a comprehensive checklist to help you get started.
Step 1: Review current ICT systems
Review your systems and find the gaps. Some requirements are clear; for example, segregating backup data and testing recovery plans annually. Others, such as resolving cyber attacks quickly, are more open-ended. Thus, focus on both the specific and ambiguous requirements to be compliant.
Step 2: Build a cyber resilience culture
Resilience is key here. It’s more than just disaster recovery and includes:
a). proactive risk identification,
b).detecting threats quickly,
c). responding effectively,
d). and recovering efficiently.
That’s why making cyber resilience a core focus throughout the organization should become a crucial step.
Step 3: Work with regulatory bodies
The regulation aims to standardize protocols across the EU financial sector. Engage with EU authorities responsible for implementing the new cybersecurity regulation, share knowledge, and stay up to date with the evolving standards. Open communication will help you navigate compliance more easily and keep up with the requirements.
Step 4: Meet new technical standards
Use existing tools and partnerships to meet the technical requirements. Sometimes, additional investments may be necessary, such as immutable backup systems that are physically and logically separate from other data sources. Plan for these upgrades to stay ahead of compliance needs.
Recommendations for C-suite executives to navigate DORA compliance
C-suite executives play an important role in leading their companies towards compliance with the Digital Operational Resilience Act. That’s why viewing this regulation as an opportunity for strategic transformation is the key.
To effectively navigate the DORA compliance journey, managers should:
- Make sure it’s applied across all parts of their organization.
- Provide clear guidance to stakeholders.
- Assess the risks and opportunities (especially around ICT outsourcing).
- Allocate sufficient resources (budget and people) to implement necessary measures that meet the regulation’s requirements.
- Build a culture of cybersecurity and operational resilience across the organization.
- Have the technology and tools to be compliant.
- Keep open communication with regulators and industry bodies to stay up to date with the new EU regulation and best practices.
By following these tips, C-suite executives can make their organization compliant with the Digital Operational Resilience Act and stronger in the digital world.
Recommendations for compliance officers and risk managers
Both C-suite executives and compliance officers together with risk managers play a key role in ensuring compliance with the new EU cybersecurity regulation. Yet, their responsibilities and focus areas are different. The former provide strategic direction and oversight while the latter focus on the operational implementation of the requirements.
Compliance managers focus on:
- Ensuring that the company follows regulatory requirements.
- Developing policies and procedures related to compliance.
- Conducting audits and training staff on compliance matters.
- Preparing reports for internal and external stakeholders.
On the other hand, risk managers, led by the Chief Risk Officer (CRO), should:
- Identify, assess, and mitigate all types of risks (ICT, operational, reputational, and legal risks).
- Ensure that these risks are integrated into the company’s overall risk strategy.
By working together, compliance managers ensure the risk framework is aligned with regulatory standards, while risk managers evaluate and manage those risks holistically. This collaboration will help the organization respond to both regulatory and operational challenges and strengthen overall resilience.
Achieve DORA compliance with Neontri
Reach out to Neontri if you’d like to know more about the Digital Operational Resilience Act and how to meet its requirements. We guide businesses through the whole process and help them achieve seamless compliance. By partnering with Neontri, business will minimize risks, enhance resilience, and gain a competitive edge. Contact us today to learn how we can help your organization unlock its full potential.
Final thoughts
The Digital Operational Resilience Act is a big step towards a safer European financial system. By addressing the growing cyber and operational risks, it will create a more digital resilient environment.
DORA compliance is key for financial institutions to protect themselves from cyber threats, operational disruptions, and regulatory fines. Knowing what the regulation requires and staying ahead of the risks will help financial institutions succeed in the long term.
FAQ
How does the Digital Operational Resilience Act contribute to the European digital finance strategy?
DORA aligns to the European digital finance strategy by making the financial sector more resilient to cyber threats and severe operational disruptions. This ensures a stable and secure digital environment for financial services in the EU.
What’s the biggest challenge when it comes to DORA?
The biggest challenge for financial institutions is investing in new technology and resources to meet the strict requirements for cybersecurity and operational resilience.
How does DORA define “critical third-party service providers”?
DORA defines critical third-party service providers as those whose services are key to the core business of a financial institution and whose failure would impact the institution’s resilience.
How does the Digital Operational Resilience Act impact cross-border financial services operations?
It introduces consistent requirements across the EU for cross-border financial services operations, ensuring fair competition and smooth market operations.
What role does the board of directors play in DORA compliance?
The board of directors is responsible for DORA compliance within the organization. They must ensure the organization has the necessary resources and processes in place to meet the requirements of the act.
How does the Digital Operational Resilience Act affect the monitoring of outsourced services?
DORA requires financial institutions to have proper oversight in place to monitor outsourced services, including those provided by critical third-party service providers. This helps ensure that these services don’t pose a risk to the institution’s resilience.