The Digital Operational Resilience Act (DORA) has officially taken effect, marking a transformative shift in how financial institutions (FIs) across the European Union (EU) manage operational risks. As of January 17, 2025, DORA introduces stricter regulations focused on IT risk management, resilience testing, and third-party risk oversight, requiring financial entities to strengthen their cybersecurity and risk management frameworks.
This regulation highlights the critical need for financial institutions to transition from compliance preparation to active and continuous risk management to maintain operational resilience.
What is DORA?
The Digital Operational Resilience Act (DORA) is a landmark regulation designed to harmonize operational resilience requirements across the EU financial sector. The regulation covers a broad spectrum of financial entities, including banks, insurers, investment firms, payment institutions, and their Information and Communications Technology (ICT) service providers.
DORA mandates financial entities to:
1. Assess concentration risks related to outsourcing critical functions to third-party providers.
2. Conduct regular ICT risk assessments to identify vulnerabilities and threats.
3. Implement resilience testing to prepare for potential disruptions, such as cyberattacks or service outages.
4. Include legacy systems in ICT risk assessments, addressing risks posed by outdated technology.
Key Focus: Third-Party Risk Management
Under DORA, financial institutions must carefully manage their dependencies on third-party providers. This involves continuous risk assessment, proactive due diligence, and integrating third parties into long-term security strategies.
“DORA emphasizes the importance of maintaining a resilient ecosystem,” said Loren Johnson, senior director of product marketing at Aravo. “Financial institutions must ensure their ICT systems can withstand, respond to, and recover from disruptions.”
Carl Leonard, EMEA cybersecurity strategist at Proofpoint, noted that third-party risk management is central to building resilience:
- Concentration Risk: Financial entities are required to evaluate the risks associated with outsourcing critical functions to a limited number of vendors.
- Transparency in Partnerships: Institutions must establish clear contracts and service-level agreements (SLAs) to embed DORA’s expectations into their third-party relationships.
A Continuous Journey Beyond Compliance
Experts emphasize that achieving compliance under DORA is not a one-time goal but an ongoing process. “True organizational resilience is a continuous journey,” said Leonard. He stressed the importance of:
1. Regular Risk Assessments: Evaluate vulnerabilities as new technologies, services, and suppliers are integrated.
2. Strong Cyber Hygiene: Focus on fundamental practices like employee training and system updates to complement advanced technologies.
3. Collaborative Efforts: Work with managed service providers (MSPs) to navigate DORA requirements and support third-party providers in meeting compliance standards.
Addressing Legacy Systems and Evolving Cyber Threats
One of DORA’s critical requirements is the inclusion of legacy ICT systems in risk assessments. Financial institutions must identify outdated or unsupported systems and ensure they are part of their resilience planning.
Philip Benton, principal analyst at Omdia, highlighted this challenge, noting that DORA calls out the risks associated with legacy infrastructure explicitly. “Legacy modernization is an ongoing issue within financial services, and DORA requires firms to assess and manage these risks comprehensively,” he said.
Additionally, Benton pointed to emerging cyber threats, including the anticipated “Q Day” quantum cyberattacks, as reasons for financial institutions to remain vigilant. With one-third of banks increasing IT spending on cybersecurity, the industry is shifting from reactive measures to a more resilient approach to operational risk.
The Cost of Non-Compliance
DORA’s strict compliance requirements come with significant penalties. Non-compliance can result in fines of up to 1% of daily global revenue, making it imperative for financial institutions to align their operations with the regulation’s mandates.
For many organizations, this may require:
1. Overhauling Risk Management Programs: Reassessing third-party providers and possibly replacing vendors unable to meet DORA standards.
2. Strengthening Resilience Testing: Conducting rigorous system tests to ensure operational continuity during disruptions.
3. Proportionality in Risk-Based Approaches: Allocating resources to areas with the highest risks while maintaining transparency in regulatory reporting.
Collaboration and Transparency: Cornerstones of DORA Success
Transparency and collaboration are key to meeting DORA’s objectives. Financial institutions are encouraged to work closely with their third-party providers to strengthen the entire ecosystem.
“Success under DORA relies on banks embedding the regulation’s requirements into every layer of their operations,” Johnson said. He emphasized the need for clear communication, support for smaller vendors struggling to meet compliance, and a shift from reactive responses to proactive resilience-building.
While compliance with DORA may initially be resource-intensive, the long-term benefits of operational resilience, reduced disruptions, and stronger cybersecurity far outweigh the costs.
Conclusion: Shaping the Future of Operational Resilience
The implementation of the Digital Operational Resilience Act (DORA) marks a significant milestone for the EU financial sector, signaling a shift toward a more secure and resilient operational framework. By focusing on third-party risk management, addressing vulnerabilities in legacy systems, and investing in cybersecurity, financial institutions can ensure they are well-prepared to navigate evolving threats.
As Benton aptly put it, “DORA puts cybersecurity front and center, but it’s not just about stopping attacks. It’s about building systems that can take a hit and keep going.”
By fostering collaboration, prioritizing transparency, and adapting to emerging risks, financial institutions will not only meet DORA’s requirements but also enhance their long-term resilience and competitive edge.