17 January 2025 is a significant moment for companies operating in the EU financial services sector as the Digital Operating Resilience Act (DORA) officially comes into force.
This new regulatory framework aims to strengthen the digital resilience of financial institutions and their critical and essential technology providers and to set requirements for ICT risk management, operational resilience testing and response to security incidents that could affect financial stability.
For organisations that have invested the necessary time and resources in preparing to meet their new obligations, today is an opportunity to demonstrate their readiness, strengthen relationships with regulators and build trust with all stakeholders. For those who have not paid the necessary attention to the new regulation, the urgency to act cannot be underestimated - compliance is no longer optional. It is true that some implementing regulations (ITS/RTS) have not yet been approved, yet their existing wording gives a sense of what will be needed to be met.
WHAT DOES DORA MEAN FOR FINANCIAL SERVICES AND THEIR THIRD-PARTY ICT PROVIDERS?
DORA establishes a robust and comprehensive framework to ensure that financial entities and their critical technology providers are able to withstand, respond to and recover from ICT-related disruptions. It covers a diverse range of organisations including banks, insurance companies, investment firms, payment service providers and major ICT vendors that provide essential technology services. But it has also impacted lottery companies, for example, or large car dealerships that provide financial and insurance services.The Regulation is structured into four basic requirements that all affected entities must meet:
- ICT risk management: businesses must put in place robust frameworks to identify, assess and effectively mitigate ICT risks. This includes establishing detailed processes for monitoring vulnerabilities, managing updates and ensuring systems are secure and up-to-date.
- Operational resilience testing: regular testing of operational resilience measures is mandatory under DORA. This includes penetration testing, red teaming and disaster recovery simulations to ensure that systems and processes can withstand real-world challenges.
- Incident reporting:Timely reporting of serious ICT-related incidents to regulators is a key aspect of the DORA programme. Organisations must have clear protocols for identifying, escalating and disclosing incidents that impact their operations, customers or critical infrastructure.
- Third party risk management: greater control of third party ICT providers will ensure that these external partners adhere to the same high standards of resilience. This includes regular risk assessments, negotiating strict contractual terms and conditions and putting in place ongoing monitoring processes. Selected ICT contractors with a pan-European footprint will be audited directly by the European regulator. What level of supply chain assurance for local suppliers will be sufficient, e.g. ISO audits, is yet to be determined by the local regulator.
WHAT AWAITS COMPLIANT ORGANISATIONS?
For organisations already compliant with the DORA standard, this milestone is just the beginning of an ongoing journey to maintain resilience. Compliance is not a one-time achievement - it is an ongoing process that requires vigilance, adaptation and continuous improvement.
HOW SHOULD COMPLIANT BUSINESSES OPERATE NOW?
Monitor continuously: Implement real-time monitoring systems that detect and respond to ICT risks as they emerge. Early detection is critical to minimise the impact of potential breaches.
Document and report: Make sure you have well-documented incident reporting protocols, and be prepared to provide detailed evidence of compliance during regulatory inspections. Transparency and accountability will be critical to maintaining trust with regulators.
Review and update testing plans: operational resilience testing is an iterative process. Plan your testing regularly to adapt to emerging threats and improve your response capabilities. This includes updating scenarios to reflect changes in your business operations or technology environment.
Work with third-party providers: keep open communication channels with your ICT providers to ensure they continue to adhere to security standards. Regular reviews and audits of your relationships with third parties will be essential to proactively address risks.
ARE YOU ONE OF THE ORGANISATIONS THAT DID NOT PAY THE NECESSARY ATTENTION TO THE PREPARATIONS FOR THE NEW LEGISLATION?
If your organisation is not yet fully compliant with DORA, it is time to take immediate action. Failure to comply can result in regulatory penalties, reputational damage and operational vulnerabilities that put your business at risk.How to proceed?
Perform a gap analysis:
evaluate your current processes and identify critical gaps in ICT risk management, resilience testing, incident reporting and third party oversight (under DORA and all ITS/RTS).
Strengthen incident response plans:
make sure you have a well-defined framework for identifying, managing and quickly reporting ICT incidents.
Improve third-party risk management: work with your external ICT providers to align requirements for compliance with security standards. This may include renegotiating contracts, establishing ongoing monitoring and regular risk assessments.
Seek expert guidance:
if you are experiencing problems in meeting DORA requirements, do not hesitate to seek external support. Professional advisors can help you streamline your compliance efforts and focus on high priority areas.
WHAT IS THE EXPECTED LONG-TERM IMPACT OF THE DORA LAW?
The introduction of the DORA standard as a vertical regulation alongside the NIS2 Directive represents a significant milestone, but also signals a broader shift towards greater resilience and accountability across the financial sector. By adopting the DORA principles, organisations can build a stronger foundation for managing ICT risks, enhancing operational stability and protecting against an increasingly complex threat landscape.
This regulation is not just about meeting today's requirements - it's about future-proofing your business. Those who invest in ongoing compliance and resilience can gain competitive advantages, including improved stakeholder trust, stronger customer confidence and reduced exposure to risk.
As the regulatory environment continues to evolve, with the world increasingly moving into the digital space, businesses need to remain proactive. Compliance with DORA should be seen as part of an ongoing commitment to digital resilience, not as a one-off effort.