days until DORA is in effect on January 17, 2025. Download your cheat sheet here.
With the January 17, 2025 enforcement deadline for the European Union’s Digital Operational Resilience Act (DORA) just over six months out and rapidly closing in, global financial firms with ties to businesses in the European Union must act now to ensure compliance. At this point, with 75% of the two-year timeline for compliance elapsed, financial sector organizations should already have progress to show for their efforts.
DORA, established by the EU in January 2023, was born out of the need to strengthen the IT security of financial institutions as they grew increasingly reliant on technology to manage operations. With data breaches increasing by 72% from 2021 to 2023 and financial services organizations like banks, investment firms and insurance companies among some of the most targeted entities, DORA compliance will help ensure services are not disrupted by cyberattacks, outages or other risks that can compromise operational integrity or continuity.
Addressing the Main Pillars of Digital Operational Resilience
Per DORA Article 3, digital operational resilience is defined as “the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by Information and Communication Technology (ICT) third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.”
To establish such resilience, DORA requires financial services firms to classify, report and address incidents according to duration and geographical reach, data and services affected and impact on clients and total economic impact for events within five core pillars:
Collecting data and categorizing incidents enables financial organizations to effectively bolster their IT protections beyond simple cyber defense measures to also include proactive steps that minimize disruptions and downtime from attacks that are successful. However, updating cyber hygiene in alignment with DORA’s definition of resilience can be sobering for IT managers and their teams charged with safeguarding IT systems and keeping operations running.
Clarifying the Stakes for Compliance
In the modern IT environment of a typical hedge fund, private equity firm or other alternative investment firm, the complexity and scale of technology in support of high volume, real time and often irreversible transactions creates significant hurdles to maintaining a resilient operation. However, these digital operational resilience standards also come specific economic and regulatory consequences for organizations that fall short of aligning with DORA requirements.
Organizations that fail to achieve DORA compliance by January 17, 2025 face exceedingly high stakes. Not only does non-compliance leave financial firms vulnerable to damaging and costly attacks, but calculations show that a cyberattack on a major financial services payment system would prompt global losses that could reach $3.5 trillion (EUR €3.2 trillion) over a five-year period.
Beyond such damage from attacks, DORA comes with regulatory teeth that add to an organization’s costs. Firms found in violation of DORA may face fines of up to 2% of their total annual worldwide turnover. Third-party ICT service providers identified as “critical” may also face fines of up to EUR €5,000,000 or a maximum fine of EUR €500,000 for an individual. Furthermore, violations may also mean the possibility of an audit or even suspension of a company’s operations.
Regardless of where an organization lies currently on their journey to DORA compliance, complete adherence to the rule requires financial firms to first understand, in detail, specifically how the principles of DORA apply to their IT architectures. And, faced with the quantifiable impacts of noncompliance, these updates are far easier said than done. No matter where your firm lies on its progress for achieving DORA compliance, ECI can draw from tried and trusted experience as a leading financial services MSSP to support you in reaching compliance ahead of the January deadlines.
For more information about how ECI can support your financial services firm in achieving DORA compliance, download our DORA eBook or contact sales.
[SS1]This is kind of a bold claim, please verify if this is accurate.
