The Digital Operational Resilience Act (DORA) is poised to reshape the EU’s financial sector by enhancing its cybersecurity defences. Scheduled to take effect on 17 January 2025, the regulation aims to ensure financial institutions and third-party ICT providers can withstand and recover from cyberattacks and ICT-related disruptions. DORA broadly defines ICT providers as entities that offer information and communication technology services.
DORA introduces an EU-wide framework to harmonise the management of cybersecurity and ICT risks. The regulation applies to a variety of financial entities, including banks, investment firms, and pension providers. It emphasises key areas such as the development of robust risk management strategies, timely incident detection and reporting, regular resilience testing, and ensuring third-party ICT providers meet compliance requirements.
Critical ICT providers, such as cloud services and software providers, will be subject to extensive risk management obligations. Financial organisations must ensure these third-party providers align with DORA standards to safeguard their operational resilience.
Implementation of DORA requires organisations to assess and adapt their ICT systems and processes. Expert guidance is often necessary to navigate the regulatory requirements and strengthen defences against digital threats. Non-compliance could result in severe penalties, including significant fines, operational restrictions, and public disclosure of violations, which may harm reputations and erode trust.
DORA establishes a comprehensive framework to manage cybersecurity risks, reinforcing the EU’s commitment to digital resilience. Financial institutions and their ICT vendors must act promptly to comply with these new standards and mitigate the potential risks of non-compliance.
