DORA stands for Digital Operational Resilience Act: Legislation introduced by the European Union in January 2023, which financial entities need to comply with by January 2025.
The regulatory framework will strengthen the European financial sector’s ability to prevent, detect, and respond to cyber threats and disruption to operations. Banks, insurers, investment firms, payment service providers, and crypto service providers all fall under DORA’s scope. Likewise, any third parties supplying key infrastructure to the European financial sector.
Here, we’ll look at the regulatory and practical impacts of DORA on European financial entities, and the benefits compliance will bring.
The EU finance sector relies on its digital landscape to deliver services and to keep customer data secure. Technology powers it — and also exposes it to risks from multiple angles.
Cyber attacks are an obvious threat: An attack on a major financial services payment system could lead to global losses of $3.5 trillion over five years. And these attacks are increasing in scale and sophistication. Technical outages and extreme weather events can also cause chaos, affecting financial firms’ ability to function and customers’ ability to access funds and services.
DORA is Europe’s answer to these risks and threats. It aims to minimize the potential for issues, and, if they do occur, their effects on the EU finance sector, the wider economy, and society.
DORA is one element of the EU’s broader Digital Finance Strategy, specifically looking at managing digital risk in the financial sector. It outlines detailed, strict requirements for financial entities on:
Ensuring compliance with DORA is an intricate task for compliance and IT teams within EU financial entities (and third-party providers). It will be a significant workload until the January 2025 deadline. That said, beyond the need for compliance, DORA brings clear benefits:
Working toward complying with DORA hands financial entities an opportunity to identify and fix potential cybersecurity weaknesses. As every EU entity brings in enhanced security, the financial landscape as a whole will become better protected.
DORA will minimize the effects of cyberattacks and operational disruptions on the wider economy, due to reinforcing resilience across the whole EU finance sector. The regulations encourage pre-emptive risk management and detailed planning for incident response, so finance actors will be better prepared to resist attacks and recover faster from them.
Trust and security matter to consumers. Complying with DORA offers finance entities — from banks and insurers to investment managers and payment service providers — an opportunity to communicate their prioritization of these factors to their customers. For firms that get ahead of the pack on thorough DORA implementation, this opens up the potential to gain market share.
As entities implement DORA-mandated policies and processes, customers’ details will be better protected from bad actors.
The scope of DORA is necessarily wide. As a result, it will usher in major practical changes across all EU financial actors. For IT and compliance teams in these firms, key change management areas include:
1. Periodic tests
DORA requires firms to run periodic incident response drills, penetration testing, and vulnerability assessments. This will likely require budget allocation for specialist security tools and expertise.
2. Risk management
Proactivity is a key pillar of DORA. EU finance entities will need to shape, roll out, and maintain thorough cybersecurity risk management schemes. Either working with the expertise they already have in-house or collaborating with external providers.
3. A close eye on third parties
One of the key changes DORA makes is placing increased scrutiny on third-party providers. As they are essential to ensuring digital resilience, finance entities will have to run comprehensive due diligence and introduce safeguards into all contracts with third parties. Some firms will likely opt to work only with DORA-compliant service providers.
4. More detailed reporting
Firms will have to heighten their reporting capabilities on significant IT incidents, in line with the protocols DORA sets out for detecting and reporting on these.
5. More transparent operations
DORA hands designated supervising bodies greater authority over the European finance sector, to promote increased transparency. These authorities will be given more oversight, and firms will have to share their risk management policies and plans to respond to incidents.
6. Interconnection with other regulations
Compliance and IT teams should work towards DORA compliance in the context of other legislative changes. Primarily, DORA relates to:
It’s wise to look at DORA as your chance to go beyond the ‘musts’ of regulatory compliance. It’s a chance to invest in strengthening digital resilience, to safeguard customer data, and to gain a competitive edge.
To get ahead of DORA compliance, talk to our team about how ServiceNow can help.