Are you ready for DORA?
Posted in: Latest News , Insights
Read Time: 2 Min Read
The Digital Operational Resilience Act (DORA) is underway – and firms need to act now to build momentum towards the January deadline.
Whether you’re a bank, investment company, data reporting provider, or cloud service company, your firm is expected to be compliant by 17th January.
What are the key aims of DORA?
Created in response to the European Commission's Digital Finance Strategy, DORA aims to:
- Enhance resilience: Improve the ability of financial institutions to withstand cyber threats and disruptions.
- Establish a consistent framework: Put in place a uniform set of rules for managing digital operational risks across the EU.
- Promote risk assessment: Require firms to assess their digital operational risks and implement appropriate measures to mitigate them.
- Foster governance: Set out the governance activities required to manage risks throughout a company's lifecycle, emphasising the roles of senior management and the board.
By achieving these objectives, DORA seeks to strengthen the resilience of the financial sector and ensure its ability to adapt to the evolving digital landscape.
What does DORA mean for you?
DORA imposes several key requirements on companies, including:
- Enhanced communication: Financial organisations must establish arrangements for regular exchange of cyber threat information and have clear processes in place to respond to threats.
- Third-party risk management: Firms must develop strategies to manage the risks associated with third-party ICT service providers, including exit plans, substitutability assessments, and testing requirements.
Third-party ICT service providers that are identified as “critical” by the European Supervisory Authorities (ESAs) may face fines of up to €5m for non-compliance. For an individual, a maximum fine of €500,000 may be imposed.
- Compliance and governance: There are also high penalties for organisations that fail to abide by governance and regulations. The legislation states that fines of up to 2% of a firm’s total annual worldwide turnover will be distributed, and if penalties are applied to an individual, they could receive a maximum fine of €1m.
Financial entities that avoid reporting major ICT-related incidents or significant cyber threats may also face significant penalties.
Can DORA affect my organisation even if we’re based outside of the UK?
Although DORA is an EU regulation, its reach can extend beyond the EU. Companies with offices in the EU or those providing services to EU-based financial institutions may still need to comply.
- For instance, a US-based business serving a US bank could be indirectly impacted if that bank operates within the EU.
- While DORA hasn’t yet been adopted in the UK, it’s anticipated to become part of UK law in the near future.
All organisations, regardless of their location, should review their operations to determine if they fall under DORA’s regulations and identify the necessary compliance steps.
What you need to do next
It’s important to remember that you don’t have to build digital resilience alone. Our specialists can bring the right people on board to help you meet DORA’s new regulations and avoid non-compliance.
If your organisation needs support to prepare for the upcoming deadline, get in touch with our team to learn about our expert consultants.