Phone us
DORA isn’t just the name of a popular children’s animated character. In this context, DORA stands for the Digital Operational Resilience Act – a new European legislation designed to guide and secure digital resiliency in the financial sector.

Before DORA, the digital landscape for financial and ICT institutions in the EU was fraught with challenges, from regulatory fragmentation to inconsistent cybersecurity practices. The rising tide of cyber threats, evidenced by a 200% increase in European financial services cyber-attacks between 2022 and 2023, underscored the urgent need for a unified approach to digital operational resilience. 

Introducing DORA

DORA, established under Regulation (EU) 2022/2554, was introduced following the UK’s departure from the European Union. While DORA is not part of UK law due to the Retained EU Law (Revocation and Reform) Act 2023, UK companies operating in Europe, including their European subsidiaries, may still need to comply with its requirements as it strengthens operational resilience across the EU financial sector.

Objectives of DORA

DORA addresses the critical gaps in the digital operational resilience of financial institutions by creating a unified framework to mitigate cyber-attacks and other risks. It also focuses on strengthening the operational resilience of financial institutions and service providers across the EU.

Impact and Scope of DORA

DORA will affect over 22,000 financial institutions, along with their service providers and infrastructures. Importantly, even third-party financial entities outside the EU that operate within it will be subject to DORA’s regulations. As a comprehensive supervisory act, DORA will primarily impact—but is not limited to—credit institutions, payment institutions, account information service providers, crypto-asset service providers, investment firms, central securities depositories, trading venues, trade repositories, data reporting service providers, insurance and reinsurance undertakings, management companies, ICT service providers, crowdfunding service providers, etc. 

Key Pillars of DORA

DORA consolidates and enhances existing ICT risk requirements across the EU financial sector, built on five key pillars:

  • Governance and Control: Establishing a robust internal framework for effective ICT risk management based on a recognised industry framework. I.E ISO 27001.
  • Incident Reporting: Mandating the reporting of major ICT-related incidents and process improvements.
  • Resilience Testing: Requiring regular digital operational resilience testing, including mandatory penetration and recovery tests.
  • Third-Party Risk Management: Focusing on identifying and evaluating critical suppliers.
  • Information Sharing: Enforcing strict guidelines for information sharing among financial entities.

Additional requirements include annual reviews and tests of business continuity plans and an EU oversight framework for Critical Third-Party Service Providers (CTPPs).

Shifting Responsibilities

DORA marks a significant shift in responsibility, placing accountability squarely on management bodies. The era of deflecting blame is over; DORA establishes clear and consistent accountability. However, these stringent protocols are applied using the principle of proportionality, considering the size, risk profile, and complexity of financial entities and their operations. This means that certain DORA clauses may not apply universally but are tailored to the scale of the enterprise.

Timeline for Implementation

DORA came into force on January 16th, 2023, with full implementation required by January 17th, 2025. To put it another way, you COULD be fined from 18th January 2025  for non-compliance. This two-year window is an opportunity for organisations to assess their current practices, address gaps, and align with DORA’s requirements. Though challenging, this period is also a chance to strengthen vulnerable areas, train staff, and reevaluate internal processes—ultimately enhancing the cyber posture of European institutions.

The Urgency for Compliance

With the rise of AI-driven threats and politically motivated cyber-attacks, financial services remain among the top three industries targeted in Europe. The increasing frequency and sophistication of these attacks make compliance with DORA essential. Failure to adapt could result in regulatory penalties, increased cyber risks, operational disruptions, legal challenges, and loss of customer trust. With only four months remaining, now is the time to act—secure your future, and navigate the new digital landscape with DORA or risk being left behind.

How AJC Can Help

Collaborating with third-party experts like AJC for risk assessment and management is highly recommended. Organisations must thoroughly vet their providers to ensure they meet DORA’s standards, particularly regarding data protection and incident reporting. Additionally, regularly testing and reviewing digital operational resilience measures, such as incident response plans and resilience tests, is crucial for minimising the impact of disruptions and achieving compliance.

Join Us for a FREE Interactive DORA MasterClass

The IoCR (Institute of Corporate Resilience) and AJC are hosting a DORA Interactive Masterclass and Workshop on Thursday October 10th 2024, from 2:00 PM – 4:00 PM.

The session will cover include an introduction to DORA, an experienced panel, open floor QA. Online, FREE of charge, a guaranteed educational and supportive session.

Click here to register.

 

Image accreditation: NASA (2015) from Unsplash.com. Last accessed on 25th September 2024. Available at: https://unsplash.com/photos/photo-of-outer-space-Q1p7bh3SHj8

In case you missed it...

APP Reimbursement Rules Changes
New APP Fraud Reimbursement Rules: Key...

As the digital landscape evolves, so do the risks, particularly through authorised push payment (APP) fraud. In response to these...

Read More
Cyber Security Workforce Gap
Bridging the Cyber Security Workforce Gap:...

The cyber security talent shortage deepens as organisations struggle to address increasing risks. How can businesses adapt, and what role...

Read More
deep fakes exploiting businesses
The Dual Threat of AI: How...

As artificial intelligence (AI) continues to evolve, it presents both opportunities and risks across many sectors. However, AI's rapid development...

Read More

Get in touch

    By submitting this form you are consenting that your data be handled in accordance with our Privacy Notice and we will be in touch regarding your enquiry.