New APP Fraud Reimbursement Rules: Key...
As the digital landscape evolves, so do the risks, particularly through authorised push payment (APP) fraud. In response to these...
Read MoreBefore DORA, the digital landscape for financial and ICT institutions in the EU was fraught with challenges, from regulatory fragmentation to inconsistent cybersecurity practices. The rising tide of cyber threats, evidenced by a 200% increase in European financial services cyber-attacks between 2022 and 2023, underscored the urgent need for a unified approach to digital operational resilience.
DORA, established under Regulation (EU) 2022/2554, was introduced following the UK’s departure from the European Union. While DORA is not part of UK law due to the Retained EU Law (Revocation and Reform) Act 2023, UK companies operating in Europe, including their European subsidiaries, may still need to comply with its requirements as it strengthens operational resilience across the EU financial sector.
DORA addresses the critical gaps in the digital operational resilience of financial institutions by creating a unified framework to mitigate cyber-attacks and other risks. It also focuses on strengthening the operational resilience of financial institutions and service providers across the EU.
DORA will affect over 22,000 financial institutions, along with their service providers and infrastructures. Importantly, even third-party financial entities outside the EU that operate within it will be subject to DORA’s regulations. As a comprehensive supervisory act, DORA will primarily impact—but is not limited to—credit institutions, payment institutions, account information service providers, crypto-asset service providers, investment firms, central securities depositories, trading venues, trade repositories, data reporting service providers, insurance and reinsurance undertakings, management companies, ICT service providers, crowdfunding service providers, etc.
DORA consolidates and enhances existing ICT risk requirements across the EU financial sector, built on five key pillars:
Additional requirements include annual reviews and tests of business continuity plans and an EU oversight framework for Critical Third-Party Service Providers (CTPPs).
DORA marks a significant shift in responsibility, placing accountability squarely on management bodies. The era of deflecting blame is over; DORA establishes clear and consistent accountability. However, these stringent protocols are applied using the principle of proportionality, considering the size, risk profile, and complexity of financial entities and their operations. This means that certain DORA clauses may not apply universally but are tailored to the scale of the enterprise.
DORA came into force on January 16th, 2023, with full implementation required by January 17th, 2025. To put it another way, you COULD be fined from 18th January 2025 for non-compliance. This two-year window is an opportunity for organisations to assess their current practices, address gaps, and align with DORA’s requirements. Though challenging, this period is also a chance to strengthen vulnerable areas, train staff, and reevaluate internal processes—ultimately enhancing the cyber posture of European institutions.
With the rise of AI-driven threats and politically motivated cyber-attacks, financial services remain among the top three industries targeted in Europe. The increasing frequency and sophistication of these attacks make compliance with DORA essential. Failure to adapt could result in regulatory penalties, increased cyber risks, operational disruptions, legal challenges, and loss of customer trust. With only four months remaining, now is the time to act—secure your future, and navigate the new digital landscape with DORA or risk being left behind.
Collaborating with third-party experts like AJC for risk assessment and management is highly recommended. Organisations must thoroughly vet their providers to ensure they meet DORA’s standards, particularly regarding data protection and incident reporting. Additionally, regularly testing and reviewing digital operational resilience measures, such as incident response plans and resilience tests, is crucial for minimising the impact of disruptions and achieving compliance.
The IoCR (Institute of Corporate Resilience) and AJC are hosting a DORA Interactive Masterclass and Workshop on Thursday October 10th 2024, from 2:00 PM – 4:00 PM.
Image accreditation: NASA (2015) from Unsplash.com. Last accessed on 25th September 2024. Available at: https://unsplash.com/photos/photo-of-outer-space-Q1p7bh3SHj8
As the digital landscape evolves, so do the risks, particularly through authorised push payment (APP) fraud. In response to these...
Read MoreThe cyber security talent shortage deepens as organisations struggle to address increasing risks. How can businesses adapt, and what role...
Read MoreAs artificial intelligence (AI) continues to evolve, it presents both opportunities and risks across many sectors. However, AI's rapid development...
Read More