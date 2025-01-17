The EU’s Digital Operational Resilience Act (DORA) is here. The new legislation officially entered into force on January 17, 2025, and organizations falling under DORA’s scope can now face substantial penalties for non-compliance. The legislation aims to enhance cyber resilience in the financial sector and reduce the prevalence and impact of critical disruptions from cyber events, which have the potential to cause major damage to the global economy. The provisions apply to banks, insurance and investment companies. Third-party IT providers within the financial industry are also in scope. Although DORA is an EU law, it also applies to many global organizations that operate in the region. DORA has five core focus areas: ICT risk management

ICT third-party risk management

Digital operational resilience testing

Incident reporting

Information sharing. As well as a focus on resilience, the law also seeks to address rising supply chain and third-party risks. With DORA now in force, Infosecurity has explored the readiness levels of financial institutions to meet the DORA deadline, and some of the compliance challenges on the horizon.

Regulators to Take a Tough Stance Financial entities were given a two-year transition period to implement the DORA requirements. As a result, many expect that regulators will take a tough approach on non-compliance. “Compliance with DORA is non-negotiable, and regulators will expect tangible progress,” explained Madelein van der Hout, Senior Analyst at Forester. Organizations that fail to comply with the DORA risk facing a range of significant and far-reaching consequences, including fines and reputational damage. Non-compliant organizations can incur fines up to 2% of their global annual turnover or €10m ($10.2m), whichever is higher. Third-party organizations may also face fines of up to 1% of their average daily global turnover for each day of non-compliance, for up to six months. Additionally, regulatory authorities have the power to limit or suspend non-compliant financial firms’ business activities until they achieve full compliance. In severe cases, non-compliance can result in a temporary suspension of operations, effectively halting business. Such penalties could have an even bigger financial impact than fines. Notably, DORA includes individual liability for business leaders for their firm’s compliance failures, who can receive a maximum penalty of €1m ($1.02m). Read now: 2025: A Critical Year for Cybersecurity Compliance in the EU and UK Compliance Levels Expected to be High Given the stakes, there are positive signs around organizations’ preparedness to comply with the new rules. Large financial firms, already operating in a highly regulated sector frequently targeted by sophisticated cyber-attacks, tend to have strong cyber resiliency built into their systems. Speaking to Infosecurity, Pat Opet, Global CISO at JPMorgan, said that the banking giant generally views its compliance obligations as “necessary provability” for its security controls. Regarding DORA, Opet noted that the firm, alongside other large global financial institutions, has placed significant emphasis on aspects such as response and recovery and third-party security over recent years. “We’ve actually changed our third-party obligations over the past several years to ensure that third parties are institutionalizing response and recovery to the extent that we expect them to,” commented Opet. Grant Harper, Global Lead for Financial Services at IT software monitoring firm, ITRS, said that anecdotally, he has observed high levels of industry readiness. “Firms have had years to prepare, and the various supervisory authorities responsible for the implementation have been proactive in providing education and resources to ensure all participants understand the requirements,” he commented. Van der Hout said she expects global financial companies based outside of the EU to align their practices with DORA to remain competitive and ensure interoperability with EU clients. Compliance Challenges Remain Despite the positive signs, there are aspects of DORA that are causing compliance concerns. A report by Orange Cyberdefense found that 43% of the UK financial services industry will miss the DORA compliance deadline and will not be compliant for at least three months. Compliance delays appear to be primarily related to the provisions around ICT third-party risk management. DORA requires firms to collate information about their contracts with IT providers into a register.

“EU financial firms have accelerated their DORA implementation projects in recent months but, for many, there remains a lot to do"