The EU Digital Operational Resilience Act (DORA) is intended to make the financial sector more secure, with the objective of bringing stability to the market and implementing ICT security and fraud measures. DORA will be fully applicable to financial institutions
and IT service providers in the EU on 17 January 2025, after two years of preparation.
We have already covered the
basics of the Act,
preparing for DORA, and its impending
impact on the industry. Now that the EU only has one month to go before DORA is implemented, let’s take a look at how the fintech sector is responding.
How prepared are financial institutions for DORA compliance?
“As DORA comes into effect next month, firms need to have well-defined policies for managing cyber risk – particularly those related to legacy technology, unauthorised access, insider threats and AI generated content,” stated Steve Bradford, senior vice
president EMEA, SailPoint.
He continued: “With the average cost of a breach being over
$6 million, our findings highlight a critical need for a modern, automated approach to identity security. Unifying vast amounts of identity data within a singular, centralised platform enables better visibility and management. This context is critical to
help organisations detect and address suspicious behaviour, and manage any threats before a breach occurs.”
Andy Norton, European cyber risk officer, Armis, said that many financial institutions are unprepared for DORA due to lack of budget and staffing shortages, citing that 35%
of UK IT leaders do not have the funds for the cybersecurity infrastructure update.
However, to ensure they are prepared for the regulatory requirements of the Act, Norton detailed: “Firms must first prioritise cybersecurity basics, like shoring up multi-factor authentication (MFA), firewalls, network visibility and regular software updates.
Equally important is adopting automation and bringing all security tools and processes under a unified management system to create better visibility and faster, more streamlined operations. Once these fundamentals are sorted, advanced solutions like AI-powered
threat intelligence enable firms to transition from reactive cybersecurity measures to a proactive defence.”
Cybersecurity company S-RM outlined key steps to align with the incoming regulation:
- To point out company weaknesses against the DORA requirements and how they can be improved;
- To educate and prepare management on DORA;
- To test readiness for incidents and recovery;
- To ensure there are immediate reporting and classification processes in place in case of incidents; and
- To the update relationships with relevant third parties along the guidelines of DORA security and risk management strategies.
Katherine Kearns, head of proactive cyber services at S-RM, added: “While DORA may seem complex, it essentially aggregates and prioritises many of the cyber security practices that financial entities in Europe have already been working towards. By focusing
on the actionable steps outlined, organisations can not only meet compliance requirements but also strengthen their overall resilience to cyber threats.”
Vulnerabilities under DORA
Pointing to the faults within the regulation, Effie Bagourdi, global head of service management at Adaptavist, stated: “Businesses must look holistically at how to build resilience and think critically about what’s needed, versus letting the regulation dictate
the direction of travel.
Although comprehensive, DORA has clear holes - departments such as legal and operations that support a critical business function may not be covered, for example, but are nonetheless critical to ensuring resilience.
Regulations are frequently unable to keep pace with technological change, and so risk becoming rapidly outdated. Companies both in financial services and beyond should instead use the regulation as an impetus to examine how they can bolster resilience overall
strategy, identifying and neutralising threats before they occur.”
SecurityScorecard
released a report on Europe’s top 100 companies by market capitalisation ahead of the DORA compliance deadline, finding that 98% of Europe’s largest companies experiences third-party breaches in the past year. The report also found that 18% of the companies
reported direct breaches in the last year.
Other key results from the research revealed that transport was the most secure sector, with no companies rated below a C, and energy was the least secure, with 75% of companies surveyed rating below a C and 25% reporting direct breaches.
Regional reports found that companies in the Middle East experienced fewer breaches than in Europe, with 84% reporting gaps in third-party breaches compared to Europe’s 98%. Within Europe, Scandinavian countries ranked the highest in cybersecurity, with
only 20% receiving below a C rating compared to the UK’s 24%, Germany’s 34%, France’s 40% and Italy’s 41%.
Jeff Le, VP of global government affairs and public policy, SecurityScorecard, added: "Our data clearly shows that organisations with top-tier cybersecurity ratings are far less likely to experience breaches. By leveraging these ratings, companies can not
only protect themselves but also hold vendors accountable, creating stronger, more resilient supply chains."
Giles Inkson, director of services EMEA at NetSpi, emphasised how financial institutions should already be ready for DORA compliance; businesses should have already identified gaps in their resilience strategies and planned to address them. Inkson outlined
how DORA provides a comprehensive approach to risk and resilience, which means collaboration throughout all aspects of a business rather than requiring all resilience measures to be managed by the IT department.
"Proactive planning is key. Those organisations that still haven’t taken initial steps face a steep climb, but the emphasis on clear, visible progress provides a lifeline - one that must be seized immediately. A last-minute scramble will only expose vulnerabilities
and risk both reputational damage and regulatory penalties," stated Inkson.
Alain Traill, counsel at Latham & Watkins, agreed with Inkson’s statement: “With the DORA deadline fast approaching, affected organisations should already be well advanced in implementing compliance programmes. However, given the scale of the uplift required,
many are struggling to achieve compliance ahead of the deadline.”
Trail pointed to how DORA’s stringent requirements demand large-scale infrastructure and operations changes, which can be time-consuming and comprehensive for smaller firms.
What will a DORA-compliant future look like?
Inkson outlined what a future will look like under DORA, detailing that the financial sector will be better protected and resilient against fraud and cybersecurity breaches. DORA will lay down foundations for an organised system of reporting and testing
that will create a proactive and safer industry.
Inkson highlighted that DORA requirements are only the beginning of a larger journey for financial institutions, which will lead to a more sophisticated strategy to preventing cyber threats and a safer financial landscape.
Inskon furthered: "The January 2025 deadline is not the end of the road but a waypoint on an ongoing journey. Cyber threats continue to grow in sophistication, with hybrid threats combining physical and digital vulnerabilities becoming increasingly prevalent.
Meeting DORA’s initial requirements is merely the foundation. Maintaining compliance and resilience will require constant vigilance. Firms must essentially embed resilience into their operational DNA.”
Bagourdi criticised the impact of DORA on innovation, citing how DORA is a strain on smaller businesses and the fines for individuals: “Complying will be a significant undertaking for financial institutions and all associated third parties - with the steep
penalties for noncompliance leaving no room for mistakes. For larger organisations with the resources to dedicate to compliance, the regulation will be easier to adhere to than for smaller companies with low budgets and over-stretched teams.
“Outsourcing compliance to third parties can alleviate the pressure on smaller firms, but will ultimately impact bottom lines. However, with resilience and compliance requirements becoming an increasingly common feature of RFPs, proving resilience will be
key, not only to driving growth but to avoiding DORA penalties.”
Bagourdi pointed to the individual liability clause of DORA as a push for “zero-risk culture that will ultimately reduce growth and hamper innovation.” Bagourdi also noted that tightening regulation will increase pressure on professionals and is likely to
negatively impact mental health.