Designed to strengthen the digital resilience of the financial sector, the EU’s Digital Operational Resilience Act comes into force this January
2025’s focus on trying to get a handle on emerging technologies opens with the EU’s Digital Operational Resilience Act (DORA) which mandates that financial institutions and critical sectors strengthen their cybersecurity frameworks. It comes into force as of January and financial companies that use digital security need to get ready.
DORA’s objective is to ensure “digital operational resilience” in the EU’s financial sector. This means that banks, insurers, investment firms and even their third-party tech providers will need to withstand digital disruptions, cyber threats and operational breakdowns.
The law sets standards for how businesses should manage ICT (information and communication technology) risks. This covers everything from governance protocols to ongoing monitoring of your business’ systems and policies. Under DORA, any major digital incident must be immediately reported to relevant authorities.
Digital systems are required to be assessed regularly, either through vulnerability tests or in-depth threat simulations. DORA also applies to managing risks associated with third-party vendors, so you’ll need to assess and regularly monitor any tech partners also. The law also encourages sharing information about cyber threats across the industry, so businesses can stay ahead of any potential cyber attacks.
DORA affects companies outside the EU if they do business with EU-based clients, rely on EU-based third-party service providers or have branches or subsidiaries operating in the EU. UK institutions with any cross-border operations, EU clients or third-party partnerships will likely need to comply with DORA’s standards, regarding ICT risk management, incident reporting, resilience testing and third-party risk management.
Getting ready for DORA
How can you get your business ready to be compliant with DORA? Start by assessing your digital systems, incident protocols and risk management policies. Next, clarify who’s responsible for identifying, monitoring and mitigating risks, and make sure they have the tools to do this.
Focus on how your business detects and responds to incidents, and make sure you have the right tools in place to recognize issues as they happen. It’s important also to conduct regular testing to make sure your systems can handle potential disruptions.
Review your relationships with third-party vendors. Under DORA, you will need to ensure your vendors comply with the digital resilience standards the law requires. You may need to review contracts and work with your vendors to develop monitoring systems.
It will help to invest in training programs for your employees so they’re aware of the risks and ready to respond to issues. And you might want to consider automated reporting tools to streamline the reporting process that DORA requires. Information sharing is important under DORA so you’ll want to join networks that share insights on cybersecurity.
DORA’s scope may seem challenging but by strengthening your ICT resilience you can help prevent disruptions and fortify your company against cyberattacks and operational failures.