While it is an EU regulation, DORA will have far reaching consequences for financial institutions worldwide, Forrester analyst says.
The EU’s Digital Operational Resilience Act (DORA) took effect on 17 January, binding the region’s banking and financial landscape under strict regulations to protect their vital systems from cybersecurity threats.
Encompassing more than 22,000 institutions, including banks and e-banks; investment funds; insurance and reinsurance undertakings; crypto service providers and information and communication technology (ICT) third-party service providers, the legislation requires entities to conduct thorough ICT risk-management, report incidents of cyber threats to authorities and conduct digital operational resilience testing – effectively placing a stronger onus of security measure compliance on the institutions’ boards.
Moira Cronin, a digital risk partner at PwC Ireland explains that prior to DORA, financial institutions were often on the “back foot” and managed operational risks by only ensuring that they could respond and recover from incidents.
DORA – which entered into force two years earlier in January 2023 – has evolved the landscape, Cronin explains, “where firms are now expected to anticipate, respond, recover, learn and evolve”.
“At its core, it is pushing individual firms to own the risks associated with the resilience of their full ecosystem and be accountable to its customers and stakeholders.”
A 2024 EY risk management survey reported that 82pc of European banking chief risk officers believed that cybersecurity would present the biggest risk to their business that year, and speaking to SiliconRepublic.com earlier last year, Kris Lovejoy, a global security and resiliency leader at Kyndryl, said that firms should see cybersecurity resilience “from the perspective of hygiene”.
“The answer is really to focus on knowing what kind of technologies you have in place through good inventory systems, ensure you’re patching them, ensuring you’re hardening them, ensuring you’re monitoring them, and ensuring that you have some mechanism to recover them when something goes wrong.”
Moreover, Forrester’s senior analyst Madelein van der explains that DORA will have a significant impact on companies outside the EU, particularly in North America and the Asia-Pacific (APAC) regions.
“The regulation will influence financial institutions operating in or with connections to the EU, requiring them to integrate DORA compliance with their local regulatory requirements.”
“DORA also establishes a global benchmark for operational resilience in financial services. Companies in North America and APAC will likely align their practices with DORA to remain competitive, ensure interoperability with EU clients, and strengthen their operational resilience.”
However, while penalties for non-compliance under DORA are hefty, they are not as harsh as under the GDPR. Institutions found non-compliant with DORA will incur fines up to 2pc of their global annual turnover or €10m, whichever is higher, while organisations may also face 1pc of their daily global turnover as a fine for each day of non-compliance.
According to Cronin, Irish organisations have shown a “mixed bag” of readiness in relation to DORA.
“We see financial firms who are on a journey to compliance having done their gap assessments, roadmaps and are actively implementing changes and others, unfortunately, who are in a less prepared position.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
:focal(1328x352:1330x350)/origin-imgresizer.eurosport.com/2025/01/21/4087439-82886428-2560-1440.jpg?w=150&resize=150,150&ssl=1)
