Keep up to date with the trending topics
from our industry experts

DORA is GDPR’s big brother, addressing cyber risk across EU financial services

Written by Henry Duncombe

Tuesday, 9 April, 2024

Webinar: This is your Microsoft Copilot speaking, we’re ready for financial services take off

On demand

Learn how this powerful AI tool can help you create, analyse and communicate better with your data.

Microsoft Copilot Webinar

8 keys points you need to know about DORA

1. What is DORA and why does it exist?

Not to be confused with the cute Latina girl cartoon and her monkey friend Boots, DORA (The Digital Operational Resilience Act) is a new European Union regulation which has been established to enhance the IT security of financial entities such as banks, insurance companies, and investment firms.

A simple way to think about what DORA is that it’s like the General Data Protection Regulation’s (GDPR) big brother for financial services, but unlike GDPR, DORA isn’t focused on protecting the personal data of EU citizens, but ensuring that financial services firms and their critical service providers have robust operational Cyber Security measures in place.

2. So why more regulation?

Before DORA, regulation was not focused specifically on the operational risks financial firms face when it comes to cybersecurity threats, and there wasn’t a clear harmonised approach and robust framework across the EU member states.

3. What is it looking to achieve?

DORA has the following objectives:

  • Enhancing Resilience: DORA ensures that the financial sector maintains its resilience even in the face of significant operational disruptions.
  • Managing Cyber Risks: It establishes consistent and harmonised principles for handling cyber risks, simplifying the reporting process for cyber incidents.
  • Supervising Third-Party Risks: DORA addresses the management of third-party Information Communications Technology (ICT) risks, including monitoring service providers and defining essential contractual terms.
  • Testing Operational Resilience: The regulation mandates both basic and advanced testing to enhance digital operational resilience.
  • Reporting Incidents: Financial entities are required to report major ICT-related incidents to relevant authorities.
  • Facilitating Threat Information Exchange: DORA promotes the sharing of information and intelligence related to cyber threats.

4. When does it apply from?

DORA entered into force on January 16, 2023, with an implementation period of two years. Financial entities are expected to be compliant with the regulation by early 2025.

5. How do I know if DORA applies to my business?

Firstly assess whether you are within the business types which are in scope. These include:

  • Banks
  • Investment firms
  • Credit institutions
  • (Re)insurance undertakings
  • Electronic money institutions
  • Crypto-asset service providers
  • Crowdfunding platforms
  • Critical ICT providers

Assess whether your business engages in financial market activities within EU jurisdictions. Having businesses, offices, or customers in the EU would put you in scope. But if you are slightly less directly connected to the EU then it will need closer consideration. For example, you may operate a fund which is structured within the EU, or you are an Information Communications Technology (ICT) provider servicing a firm based in the UK, which has EU business.

6. What does DORA mean for ICT Service Providers?

This is where DORA really stands out as it is highly focused, addressing the fact that the risks are not just for the financial firms to manage, but the whole financial system must be, so that includes ICT providers. It has a special focus on separating critical and non-critical ICT third-party service providers and imposes different levels of oversight and contractual obligations on them.

7. What is the penalty if you fail to comply with DORA?

Here are the potential consequences for non-compliance:

Financial penalties: Entities failing to comply with DORA may face substantial monetary fines. The exact amount of the penalty depends on the severity of the violation, the impact on operational resilience, and the entity’s size and revenue.

Reputational damage: Non-compliance can harm an entity’s reputation. Public awareness of regulatory violations can erode trust among customers, investors, and other stakeholders

Operational restrictions: Regulatory authorities have the power to impose operational restrictions on non-compliant entities

8. Would adopting ISO 27001 help me comply with DORA?

Firms which are ISO 27001 certified are likely to have a head start over other firms. In order to meet the requirements of DORA however, certain areas such as business continuity and incident response are likely to need enhancement.

Make sure you’re compliant

DORA is a new EU regulation that enhances IT security for financial entities within the EU. It focuses on managing cyber risks, ensuring operational resilience, and supervising third-party risks. It is therefore important to ensure your business complies with these new regulations as non-compliance can lead to penalties and cause reputational damage. It is sensible to consider adopting ISO 27001 for compliance, but further enhancements will probably be necessary.

Would like to know more on how DORA may affect your financial services firm?

Our services

Our 4 pillars for a complete choice of managed IT services - all tailored to the needs of financial services firms in London and the UK.

Finance Forward 365 - Microsoft 365 cloud services supported by experts

Finance Forward 365

Microsoft modern workplace & cloud technology for digital transformation.

Compliant Teams -  Microsoft Teams phone system with call recording and archiving

Compliant Teams

Increased productivity & collaboration with call recording whilst reducing costs.
Cyber security solutions for financial services

Cyber Security

Keep your data secured against rapidly changing threats within Financial Services.

Responsive IT managed services for financial services

Power BI

Business Intelligence transformation and support tailored for Financial Services.

Follow us:

Pin It on Pinterest

Share This