DORA is Raising the Compliance Bar for Cybersecurity Resilience: Are You Ready?

The regulatory landscape is a crowded one for financial sector firms, and new compliance requirements are constantly being added. This is especially true for firms that operate internationally, which not only have to deal with newly enhanced regulations over the past year from the SEC and the White House in the US, but multiple regulatory frameworks in Hong Kong, the UK and GDPR in Europe. Now comes the Digital Operational Resilience Act (DORA), a new set of rules taking shape in the EU that will enhance mandates for cybersecurity resilience. As these requirements develop, alternative investment firms should consider how DORA will impact business operations and what they can do to prepare.

DORA Raises the Bar for Cybersecurity Resilience

DORA is a new set of rules that will raise the bar on cybersecurity preparedness and response for any financial institution that conducts business in the EU. Even companies that are not based in Europe are still subject to DORA compliance if any financial transactions or investment activities involve EU countries or currency. Similar to how last year’s updates to the SEC’s cybersecurity rules placed added emphasis on resiliency and continuity of operations in the US, DORA is designed to do much the same thing in the EU. 

Specifically, DORA is intended to enhance the digital operational resilience of the EU financial services sector by strengthening financial entities’ information and communication technology (ICT), third-party risk management and reporting capabilities. Key DORA focus areas include minimizing downtime, enhancing backup and restore, faster root cause analysis and shrinking recovery time objective (RTO) durations between failure events and the point where operations resume. 

These capabilities are already part of good cyber hygiene, but DORA now codifies these objectives as law with strict penalties for noncompliance. These penalties include fines of up to 2% of a company’s total annual worldwide turnover; third party fines of €5 million for companies and €500,00 for individuals; and the possibility of an audit or even suspension of a company’s operations.

4 Ways to Prepare for DORA

Enacted last year with a compliance deadline of January 17, 2025, financial firms have under a year to align themselves with DORA’s requirements. Fortunately, organizations can turn to ECI as a trusted partner with the right combination of tools, resources and domain expertise to deliver on the requirements of the DORA regulation. 

We’re already helping clients prepare for DORA with a four-part action plan. Our tailored and stepwise approach for clients includes:

1. Establishing a comprehensive and well-documented ITC risk management framework – ECI’s framework is designed to cover all physical assets and physical infrastructure – including hardware, software and servers, data centers and areas that have been designated as sensitive – with DORA-compliant strategies, policies, procedures, ICT protocols and tools.

2. Defining a digital operational resilience strategy – This step builds on the ITC framework by assessing your current level of compliance and identifies further steps that need to be taken, including establishing risk tolerance levels, setting KPIs for security objectives and implementing resilience testing protocols.

3. Implementing a business continuity policy – This is a crucial third step that details how firms will ensure the preservation of critical or important functions and how they will deliver a quick and effective response to ICT-related incidents. ECI’s policy provisions here include comprehensive backup policies, incident management workflows and crisis communication plans for internal and external stakeholders. 

4. Ongoing monitoring and testing of digital operational resilience – Achieving DORA compliance will be an continuous task, which is why ECI provides ongoing support that includes vulnerability management, penetration testing, threat detection and prevention, network segmentation and training for employee-based cyber hygiene measures. 

For more details on how your financial services firm can prepare to align with the Digital Operational Resilience Act, stay tuned for our upcoming white paper: Four Actions to Become DORA Compliant. You can also learn more today about how ECI can strengthen your firm’s overall governance, risk and compliance posture to comply with well ahead of the upcoming deadline.