Preparing for DORA: A Roadmap to Compliance for Financial Institutions

Financial services providers are essential for the modern world, supplying the systems critical to the flow of business. Ensuring these systems are resilient and available 24/7 is vital to upholding customer trust, driving business continuity, and maintaining regulatory compliance.

The Digital Operational Resilience Act (DORA), a European Union (EU) regulation introduced in January 2023, aims to support this by enhancing digital resilience in financial entities such as banks and insurance companies. In July 2024 there will be a second batch of DORA policy requirements released outlining the additional steps financial services providers must take to comply with the Act. With the final deadline on 17th January 2025, there is no time to waste. Service providers must act quickly and make the necessary investments to ensure compliance.

DORA in the UK

The objective of DORA is to make the European financial sector better equipped to withstand severe operational disruptions, such as AI-driven cyberattacks. While it doesn’t apply directly in the UK, it is still relevant for any financial institutions who deliver services in the EU, as they will need to comply to continue serving their European customers.

However, it’s important to avoid seeing DORA as just another regulatory hurdle that must be overcome. Those that have invested in establishing the processes and capabilities needed to comply will be best placed to secure lasting relationships and build stronger partnerships with their EU customers. By adhering to the guidelines laid out by DORA, organisations can ensure best practices, ultimately helping to drive customer experience and build trust with consumers.

Key requirements to meet the mandate

Cyberattacks have become more frequent and difficult to defend against over the years. Recent research reveals that 72% of CISOs say their organisation has experienced an application security-related issue in the past two years, and the growing use of AI is making matters worse. DORA compliance will put financial services in a stronger position to withstand these more sophisticated cyber threats, protect sensitive customer information, and maintain trust in the financial system.

To ensure compliance, financial services providers must adhere to the following:

1)      IT Risk Management – Financial services providers must ensure they have a robust framework to identify, assess, and neutralise potential IT threats. One of the requirements of DORA includes regularly scanning digital landscapes to identify potential vulnerabilities.

2)      Incident Reporting – DORA also requires financial services providers to report an incident within 4 hours of classification, or no later than 24 hours from the time of detection. For this to happen, finance firms must have the correct tools to identify threats at speed and not rely on manual detection and response capabilities.

3)      Operational Resilience Testing – Regular operational resilience testing is also a key requisite of DORA, forcing financial services organisations to simulate cyberattacks and disruption within their systems to expose vulnerabilities in their estates.

These requirements underscore that it is no longer enough for financial services providers to be able to demonstrate compliance during a two-week period for an annual audit. DORA requires a new approach to compliance, whereby firms must be constantly prepared to respond quickly and efficiently at any time throughout the year.

Tools of the trade: ensuring compliance

Meeting these requirements can be challenging, especially for those that still rely on traditional regulatory compliance and vulnerability management practices. Security teams often struggle to effectively monitor internal systems to identify potential threats quickly, making it difficult to report incidents at speed in compliance with DORA.

The difficulty is that banks often have limited visibility due to their systems running on complex cloud environments. If gone unchecked, blind spots within these environments can cause disruption to important banking services due to the risk of vulnerabilities being overlooked until a security incident occurs. These challenges are compounded by the ongoing cybersecurity skills shortages. With limited staff and DORA’s heightened monitoring and incident reporting requirements, financial services providers will struggle to comply if they don’t find a more effective way to identify and respond to security threats.

To support their efforts, financial organisations should converge their security and observability data in one place, where it can be used to enable automated runtime vulnerability analysis. By doing so, financial services providers will have a clear source of real-time insight into potential threats and security incidents. Finance teams can then quickly identify the severity and impact of incidents and report this information at the speed needed to comply with DORA.

The countdown has already started

With just six months to go, financial institutions must finalise their preparations soon if they are to meet the deadline for compliance. But DORA isn’t just about ticking boxes; it’s about building a secure and resilient business in the ever-changing threat landscape. Those that see the value of embracing the best practices it entails will be well placed to build a foundation for continued success, by proactively preventing cyberattacks rather than scrambling to contain them at the last minute.