Financial services companies and their digital technology suppliers are facing significant challenges as they strive to comply with new stringent regulations from the European Union aimed at enhancing cyber resilience. The EU’s Digital Operational Resilience Act (DORA) is set to have a profound impact on banks, insurance companies, investment firms, and their technology providers, as they work to bolster their IT security and operational resilience in the face of increasing cyber threats.
Understanding DORA
The Digital Operational Resilience Act (DORA) mandates that financial institutions must strengthen their IT security to ensure they can withstand and recover from severe disruptions to their operations. These disruptions could range from ransomware attacks that cripple computer systems to distributed denial of service (DDoS) attacks that take down websites. The regulation also aims to prevent major outage events like the recent IT meltdown caused by a cyber firm’s software update, which disrupted services for several banks and investment companies.
DORA not only focuses on banks’ internal measures to ensure resiliency but also places a spotlight on their technology suppliers. Under the new regulation, banks are required to conduct rigorous IT risk management, incident management, classification and reporting, digital operational resilience testing, information sharing on cyber threats, and measures to manage third-party risks. This means that third-party providers delivering critical digital services must also be part of the testing and reporting process, necessitating financial institutions to uncover and map dependencies with these external entities.
Implementation Timeline
DORA officially came into force on January 16, 2023, but EU member states will not enforce the rules until January 17, 2025. The delay in enforcement allows financial firms and their suppliers time to prepare and align with the new regulations. The EU’s emphasis on these reforms stems from the growing reliance of the financial sector on technology and tech companies to deliver essential services, making them more susceptible to cyber threats and incidents.
The new regulations require financial companies to enhance their recovery time objectives and strengthen security measures around technology, especially in cybersecurity recoveries from cyber events. The focus on third-party risk management highlights the importance of ensuring that external service providers play a role in maintaining the security and resilience of the financial ecosystem.
Compliance and Consequences
Failure to comply with DORA can result in significant penalties for financial firms and their technology suppliers. EU authorities have the power to levy fines of up to 2% of a company’s annual global revenues for non-compliance. Individual managers within these entities can also be held accountable for breaches and face sanctions of up to €1 million. IT providers may face fines of up to 1% of their average daily global revenues, with potential daily fines until compliance is achieved.
For critical third-party IT providers, fines can escalate to €5 million, emphasizing the importance of ensuring compliance across the entire digital supply chain. The principle of proportionality in penalties ensures that responses to legal failings are balanced against the criticality of the services offered and the data being protected.
Industry Preparedness and Challenges
Many financial services firms have been proactive in aligning their existing internal operational resilience and third-party risk programs with DORA requirements. This alignment aims to create a harmonized governance framework under a single supervisory authority and streamline compliance efforts across the EU. While progress has been made, there is still work to be done to fully meet the requirements of the regulation by the enforcement deadline.
Despite efforts to achieve compliance, industry experts acknowledge that challenges remain. Fredrik Forslund of data sanitization firm Blancco notes that while progress has been made, there is a sense of urgency to reach full compliance by the deadline. Not all firms may be able to meet the stringent requirements by January, highlighting the ongoing efforts needed to enhance cybersecurity and operational resilience in the financial sector.
In conclusion, the EU’s Digital Operational Resilience Act represents a significant step towards ensuring the cybersecurity and operational resilience of financial institutions and their technology suppliers. By mandating stringent IT security measures, incident management protocols, and third-party risk management practices, DORA aims to safeguard the financial sector against cyber threats and operational disruptions. While challenges remain in achieving full compliance, the industry must continue to prioritize cybersecurity and resilience to protect critical financial services and customer data.