The EU’s Digital Operational Resilience Act (DORA) will come into effect on January 17, 2025. That gives financial institutions plenty of time to prepare, right? Maybe – but there’s also plenty of work to be done before the deadline. Here’s why you need to start getting ready sooner rather than later.
Meet DORA
DORA’s main objective is to harmonize current regulations on digital operational resilience in financial entities across the EU (something the European Central Bank and other EU authorities are also prioritizing). To achieve this, the EU has made DORA a regulation rather than a directive, meaning it’ll be directly implemented in each member state without first being translated into national law.
Its broad scope will encompass many institutions that aren’t covered by existing cybersecurity legislation like NIS2; in fact, DORA requirements will prevail over NIS2 in the case of conflict. The EU’s goal is that this simultaneous harmonization and expansion will help address the risk of cyberthreats, particularly across borders.
So why is DORA such a significant step for many financial institutions? Fundamentally, the regulation will make cybersecurity the responsibility not only of IT but also of senior management and the board. As a result, digital operational resilience will need to be firmly embedded within corporate strategy – much like sustainability is today.
Spotlight on resilience
Resilience is defined by the EU as “the ability not only to withstand and cope with challenges but also to undergo transitions, in a sustainable, fair, and democratic manner.” Digital resilience is just one aspect of this concept, but for financial organizations it’s an essential pillar of sustainable growth and development. As part of the EU’s Digital Finance Package, DORA has been developed to make sure financial entities and IT providers can deal with any social, political, or environmental risks that might arise during the region’s ongoing digital transition.
“Resilience doesn’t mean nothing ever happens,” says Katharina Ortlepp, Senior Consultant at ACE + Company. “It means you have the tools to react when problems do occur. It’s not static: responding to incidents is about learning and improving for the future.”
With that in mind, it’s important for financial organizations to think of DORA compliance not as a box-checking exercise, but as a way to nurture a better, more secure growth landscape in the financial sector. Seizing the opportunity to optimize all processes will improve digital operational resilience – and thereby the resilience of the organization as whole.
More transparency, greater security
One key focus area within DORA is third-party risk management. For financial institutions, that means clearly defining their critical services, identifying the third-party providers of those services, and clarifying who within the organization is responsible for monitoring those providers.
This is something a surprising number of financial entities don’t currently have a firm handle on. According to Chiara Gamarra, Manager at ACE + Company, they should: “If one IT company provides a service to five banks, and one of those banks suffers a cyberbreach, the other four banks might never know about it,” she explains. “That means they can’t act to prevent it happening in their own organization. A single breach could create a domino effect across multiple banks, so they all need to be aware of the risks up front. Consistency in reporting and inventorying is a big advantage from a security and resilience standpoint.”
How to get ready for DORA
2025 might seem far away, but with a regulatory change of this size, preparation is everything. “Ensuring compliance with DORA means acting quickly,” says Chiara. “Organizations need to build internal awareness around the new regulation and its impacts – but for many it’s hard to know where to begin.”
Don’t worry: at ACE, we’re already working closely with clients to ensure full readiness for and compliance with DORA. For example, our experts can help perform a gap assessment to identify what’s already in place in your organization and, crucially, what needs to happen to bring your IT and third-party risk management frameworks up to speed.
“Many financial institutions have a lot to do before DORA is implemented,” Katharina says, “but it’s also a great opportunity to streamline processes. Remember, compliance isn’t for its own sake; it’s about helping your organization improve its resilience in today’s unpredictable world – so embrace the challenge!”
And we’re here to help: so, if you’d like to learn more about DORA, discuss a gap assessment, or find out how else we can support you, contact our ACE team to plan a coffee and a chat.
Back to DORA is coming: Are you ready for resilience?