News

What is the impact of DORA?

Rik Burgering
6 min read
Impact of DORA: Strengthening Cybersecurity in the EU Finance Sector

DORA stands for Digital Operational Resilience Act: Legislation introduced by the European Union in January 2023, which financial entities need to comply with by January 2025.  

The regulatory framework will strengthen the European financial sector’s ability to prevent, detect, and respond to cyber threats and disruption to operations. Banks, insurers, investment firms, payment service providers, and crypto service providers all fall under DORA’s scope. Likewise, any third parties supplying key infrastructure to the European financial sector.    

Here, we’ll look at the regulatory and practical impacts of DORA on European financial entities, and the benefits compliance will bring.  

Why did the EU introduce DORA?  

The EU finance sector relies on its digital landscape to deliver services and to keep customer data secure. Technology powers it — and also exposes it to risks from multiple angles.  

Cyber attacks are an obvious threat: An attack on a major financial services payment system could lead to global losses of $3.5 trillion over five years. And these attacks are increasing in scale and sophistication. Technical outages and extreme weather events can also cause chaos, affecting financial firms’ ability to function and customers’ ability to access funds and services.  

DORA is Europe’s answer to these risks and threats. It aims to minimize the potential for issues, and, if they do occur, their effects on the EU finance sector, the wider economy, and society.  

Digital Operational Resilience Act (DORA): An overview  

DORA is one element of the EU’s broader Digital Finance Strategy, specifically looking at managing digital risk in the financial sector. It outlines detailed, strict requirements for financial entities on:  

  • Internal ICT risk management and contingency planning 
    DORA requires firms to have in place comprehensive ICT risk management frameworks, including assessing vulnerability, strategies for mitigation, and continuous monitoring.  

  • ICT risk management for third-party providers  
    Finance sector firms will need to carry out detailed due diligence on external providers. To ensure compliance, many firms will look to work with only DORA-compliant providers. 

  • Operational resilience testing and incident reporting to competent authorities 
    DORA mandates periodic testing of firms’ digital operational resilience. It also requires implementation of management systems to monitor and report significant ICT-based incidents to relevant authorities. 

  • Robust cybersecurity and sharing information and intelligence on cyber threats 
    IT and compliance teams will need to ensure they have management systems in place, to track any significant IT-centric incidents and report them to the competent authorities. 

 

DORA compliance: Exploring the benefits 

Ensuring compliance with DORA is an intricate task for compliance and IT teams within EU financial entities (and third-party providers). It will be a significant workload until the January 2025 deadline. That said, beyond the need for compliance, DORA brings clear benefits: 

Strengthening security 

Working toward complying with DORA hands financial entities an opportunity to identify and fix potential cybersecurity weaknesses. As every EU entity brings in enhanced security, the financial landscape as a whole will become better protected.  

Shrinking systemic risk 

DORA will minimize the effects of cyberattacks and operational disruptions on the wider economy, due to reinforcing resilience across the whole EU finance sector. The regulations encourage pre-emptive risk management and detailed planning for incident response, so finance actors will be better prepared to resist attacks and recover faster from them.  

Competitive edge 

Trust and security matter to consumers. Complying with DORA offers finance entities — from banks and insurers to investment managers and payment service providers — an opportunity to communicate their prioritization of these factors to their customers. For firms that get ahead of the pack on thorough DORA implementation, this opens up the potential to gain market share.  

Better protection for customers  

As entities implement DORA-mandated policies and processes, customers’ details will be better protected from bad actors.  

 

How does the DORA legislation affect EU financial entities?  

 
The scope of DORA is necessarily wide. As a result, it will usher in major practical changes across all EU financial actors. For IT and compliance teams in these firms, key change management areas include:  

1. Periodic tests 
DORA requires firms to run periodic incident response drills, penetration testing, and vulnerability assessments. This will likely require budget allocation for specialist security tools and expertise. 
 
2. Risk management 
Proactivity is a key pillar of DORA. EU finance entities will need to shape, roll out, and maintain thorough cybersecurity risk management schemes. Either working with the expertise they already have in-house or collaborating with external providers.  

3. A close eye on third parties
One of the key changes DORA makes is placing increased scrutiny on third-party providers. As they are essential to ensuring digital resilience, finance entities will have to run comprehensive due diligence and introduce safeguards into all contracts with third parties. Some firms will likely opt to work only with DORA-compliant service providers.  

4. More detailed reporting 
Firms will have to heighten their reporting capabilities on significant IT incidents, in line with the protocols DORA sets out for detecting and reporting on these.  

5. More transparent operations 
DORA hands designated supervising bodies greater authority over the European finance sector, to promote increased transparency. These authorities will be given more oversight, and firms will have to share their risk management policies and plans to respond to incidents. 

6. Interconnection with other regulations 
Compliance and IT teams should work towards DORA compliance in the context of other legislative changes. Primarily, DORA relates to:  

    • The EU’s Directive on Security of Network and Information Systems (NIS2 Directive
    • The European Banking Authority’s (EBA) guidelines on arranging outsourcing  
    • The EBA’s guidelines for risk management across IT and security 
    • New legislation for key third-party IT providers that is being shaped for the UK financial system   


Guarantee DORA compliance with ServiceNow  

It’s wise to look at DORA as your chance to go beyond the ‘musts’ of regulatory compliance. It’s a chance to invest in strengthening digital resilience, to safeguard customer data, and to gain a competitive edge.  

To get ahead of DORA compliance, talk to our team about how ServiceNow can help. 

 

Do you want more information?

Do you have a question? Of maybe a remark? Please don't hessitate to use the contact form, send us an e-mail or just call us. We are there to help you!

Get in touch