Today marks the deadline for compliance with the Digital Operational Resilience Act (DORA) in the EU.
DORA takes effect today, introducing an enforced universal framework designed to enhance Information and Communication Technology (ICT) risk management. In preparation for the regulation, banks have been restructuring their internal systems to anticipate compliance to ensure increased resilience and stricter security surrounding personal data.
Grant Harper, global lead for financial services at ITRS, said: “DORA comes at a time when scrutiny over operational resilience continues to intensify. Operational resilience is not just about ticking regulatory boxes, it is about safeguarding reputation and maintaining trust in a competitive market.”
Due to the growing complexity of the banking sector after mass digital transformation in the past decade, DORA aims to establish clear requirements for cybersecurity, resilience, risk monitoring, and oversight.
Looking to the future of DORA
Simon Treacy, financial regulation senior associate at Linklaters commented on the challenging aspects of DORA compliance: “A significant challenge is that the DORA rulebook is still not finalised. Firms will need to be ready to respond to last minute changes, especially those that impact contracts with IT providers.
“The European legislators are still working on detailed rules which relate to subcontracting ICT services and threat-led penetration testing. We are also expecting guidance from the European Commission on the scope of “ICT services” under DORA. Depending on the outcome of these rules and guidance, firms may have to extend their implementation projects.”
Treacy added that DORA compliance will be an ongoing process and will continue to evolve on a day-to-day basis based on each firm’s internal operations."
According to research from Rubrik Zero Labs, 47% of financial organisations in the UK have spent over one million euros in the last two years on DORA preparation, and 28% have spent between €501,000-€1,000,000. The research also found that 46% of financial institutions report that ransomware is the greatest threat to security.
Carl Leonard, cybersecurity strategist EMEA at Proofpoint, stated: “As we move past the deadline, organisations should not diminish their efforts. A critical, and often overlooked, aspect of maintaining resilience is continuous risk assessments. This is especially crucial when integrating new technologies, services, or third-party suppliers. Thorough due diligence and proactive risk evaluation are essential to avoid new vulnerabilities and maintain a strong security posture.”
Leonard furthered that businesses need to maintain fundamental security practices and “cyber hygiene” to ensure that they keep up to task while integrating modern technologies into their operations, particularly AI-powered programs.
In December 2024, the World Federation of Exchanges (WFE) wrote to the European Commission on the possible discriminartory impact of DORA rules.