Blog
Feb 12, 2025

Fraud Watch Edition 1: An In-Depth Look at the Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a new EU rule to help financial institutions handle digital risks. It came into effect on January 17, 2025 and requires banks, investment firms, and their tech providers to take strong steps to protect against cyber threats, system failures, and other problems. DORA creates common rules across the EU to make sure the financial sector is more secure and prepared. This blog explains the main points of DORA, how it affects financial companies, and what they need to do to follow the rules.

Understanding DORA

DORA creates a single set of rules for managing digital risks – replacing different national regulations in EU countries with a more unified approach. Banks, insurance companies, investment firms, and other financial organizations operating in the EU must follow these new rules to help prevent cyberattacks, system failures, and other disruptions. 

Financial institutions previously faced challenges due to inconsistent Information and Communications Technology (ICT) risk management rules across EU countries. DORA solves this issue by requiring all covered entities to follow the same standards. This improves security and makes the financial sector more resilient to digital threats. 

DORA became law on January 16, 2023, and financial organizations had until January 17, 2025 to comply. By this date, they were obligated to review their ICT risk strategies, update their policies, and ensure that they meet the new requirements. Companies that provide critical ICT services to financial firms were also required to prepare for stricter oversight. Regulators expected all affected organizations to take action well before the deadline. What kind of action? Read on…

Key Requirements of DORA

DORA sets out clear and specific steps to that organizations need to take to manage ICT risks, report incidents, test their defenses, oversee third-party providers, and share threat information. Notably, DORA requires:

  • ICT Risk Management – Financial institutions must establish cybersecurity policies, maintain an updated inventory of digital assets, and develop business continuity plans. They must identify potential risks and put measures in place to reduce them. 
  • Incident Reporting – Companies must report major ICT-related disruptions to regulators within set timeframes. This ensures that authorities can assess risks and take necessary action. 
  • Resilience Testing – Organizations must conduct regular security tests to check their ability to withstand cyber threats. Larger firms must undergo advanced threat-led penetration testing. 
  • Third-Party Risk Management – Financial institutions must ensure that external ICT providers meet strict security standards and comply with contractual obligations. 
  • Information Sharing – DORA encourages financial institutions to share intelligence on cyber threats. This cooperation helps the industry respond more effectively to emerging risks.

Who’s Affected by DORA?

DORA applies to a wide range of financial institutions and their technology providers. It impacts organizations both within the EU and globally. 

The regulation covers 21 categories of financial entities – notably banks, payment institutions, insurers, crypto service providers, and investment firms. These organizations must comply with DORA’s requirements to improve their digital resilience. In total, over 22,000 entities across the EU will be affected. This includes a diverse range of financial organizations, from large multinational banks to smaller regional institutions. 

DORA also has a significant impact on ICT service providers – especially system integrators, MSSPs and others that serve the financial sector. Companies outside the EU that provide critical technology services to financial institutions within the EU must also meet DORA’s standards. This means that even global providers will face stricter scrutiny if they serve EU financial entities. 

What’s more, EU financial institutions must ensure that their third-party providers follow DORA’s rules. Failure to do so could lead to compliance issues for the financial institution itself.

Global and Compliance Implications 

DORA has a broad impact that extends beyond the EU. It applies not only to EU-based financial institutions but also to ICT service providers worldwide if they offer critical services to EU financial entities. This ensures that security and risk management standards remain consistent across the financial sector, regardless of where a company is located. 

Even non-EU companies must comply with DORA if they serve EU financial institutions. This means they must follow strict cybersecurity, resilience, and reporting requirements. Failure to comply can lead to serious consequences. 

Financial institutions that do not meet DORA’s requirements can face fines of up to 2% of their total annual global turnover. This penalty ensures that large firms take compliance seriously. 

For ICT service providers, non-compliance can result in fines proportionate to their revenue and the severity of the violation. In extreme cases, authorities may restrict or even prohibit them from offering services to EU financial entities. 

Additionally, individual managers within financial institutions or ICT providers can be held personally liable. They may face fines of up to €1 million for failing to implement proper risk management measures. 

Challenges and Opportunities

DORA creates both challenges and opportunities for financial institutions and ICT service providers. 

One key challenge is the complexity of meeting DORA’s requirements. Financial institutions may need to rethink their ICT risk management strategies, run extensive tests, and update contracts with third-party providers. Achieving compliance within the required timeframe can take considerable time and resources. 

At the same time, DORA offers benefits by strengthening the security and stability of the financial sector as a whole. By addressing ICT risks early, organizations can reduce costly disruptions, improve their response to cyber threats, and build customer trust. The regulation also promotes cooperation and information sharing, helping the entire industry become more resilient. 

The Bottom Line

DORA is an important step in protecting the EU’s financial sector from digital disruptions. By setting clear and consistent rules, it helps financial institutions and their ICT partners manage risks and stay resilient. While meeting these requirements may take considerable effort, the benefits – stronger security, fewer disruptions, and better industry collaboration – make it worthwhile. In the long run, DORA will create a more secure and stable financial environment, benefiting both businesses and customers.

Share

Wanna read more?

Nov 7, 2024

Fighting Social Engineering with SIM-Based Technology

Read More
Blog
Oct 8, 2024

Protect Your Digital Identity in a World of Increasing Theft

Read More
White Paper
Nov 13, 2024

Superior Security: Why Unibeam’s SIM-Based System Beats OTPs

Read More
Blog
Nov 18, 2024

Unibeam Tops Camara Number with Reliable Mobile Authentication

Read More
Blog
Nov 22, 2024

Why should you care about spam calls?

Read More
Blog