The Digital Operational Resilience Act: Understand the Key Impacts for Financial Institutions

Cyber attacks have cost the financial services industry $12 billion in losses over the past 20 years. The attacks have more than doubled since the COVID-19 pandemic and continue to grow due to an increase in digitalization and geopolitical tensions, according to the International Monetary Fund’s (IMF) 2024 Global Financial Stability Report.

As banks, insurers, asset managers and other financial entities handle large transactions and enormous amounts of sensitive data, this rise in cyber attacks has the potential to disrupt world markets and destabilize economies. 

To combat these risks, the European Union (EU) enacted the Digital Operational Resilience Act (DORA), a recent addition to its existing regulations aimed at creating operational resilience in financial entities in all the member states. 

What is DORA? 

The Digital Operational Resilience Act (DORA) is a “comprehensive framework on digital operational resilience for EU financial entities.” DORA aims to strengthen the digital resilience of the financial industry against information and communication technology risks. 

Its main goal is to ensure financial institutions are able to reliably maintain operations when cybersecurity incidents or significant disruptions occur.

Why is DORA necessary?

The increased digitalization of financial services and rising cybersecurity threats highlighted a need for a unified regulatory framework that addressed digital operational resilience in the EU.

This is particularly critical given that today’s financial institutions rely heavily on information and communications technology (ICT) for most of their operations including online and mobile banking, ATMs, payment systems and core banking systems. These technologies also extend into risk and fraud management; data and analytics; telecommunications; automated trading systems; cloud computing; and branch automation and identity verification. 

The interconnectedness and digital nature of financial service organizations means a disruption in service or cyber breach could have a massive impact on an organization as well as financial markets globally. Establishing a high-level of operational resilience protects consumers and market confidence. 

From the EU regulatory standpoint, DORA reduces existing fragmented regulations and policies—minimizing inconsistencies and creating a primary, regulatory framework applicable across all EU member states. This simplifies the process for organizations that operate across multiple countries. 

Further, the COVID-19 pandemic highlighted how unprepared many businesses—including financial institutions—were for unforeseen disruptions. With DORA, the EU hopes to better future-proof the financial market and help organizations ensure long-term stability.

When does DORA go into effect? 

Although DORA went into effect January 2023, enforcement of the new regulation begins January 17, 2025. 

DORA timeline

• November 10, 2022: Approved at European Parliament plenary session
• January 2023: Adopted as an EU regulation
• January 2024: First wave of policy standards released
• July 2024: Second wave of policy standards released and adoption of delegated regulations 
• January 17, 2025: The date by which in-scope organizations must comply with DORA
• End of 2025: Penetration testing begins

What types of organizations does DORA apply to?

DORA applies to any financial institution that operates in the European Union, including non-EU organizations with branches inside of the EU. The regulation also applies to any non-EU third parties that provide services to any organizations within the EU. Finally, if an EU organization outsources ICT services, the vendor(s) that provides those services must also comply. 

Examples of in-scope entities

• Payment institutions
• Investment firms 
• Insurance companies
• Credit rating agencies
• Crypto-asset service providers
• Crowdfunding service providers
• Data analytics and audit services
• Fintech
• Trading venues

The 5 key pillars of DORA

DORA’s five pillars address several aspects of operational resilience: ICT risk management and governance, ICT-related incident management, digital operational resilience testing, ICT third-party risk, and information sharing.

No. 1: ICT risk management

This pillar requires financial institutions to have a “sound, comprehensive and well-documented ICT risk management framework” that enables organizations to address ICT risks “quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience.” 

This framework should include procedures and policies to protect all components and infrastructures and should be reviewed annually.

---

AI for External Threat Detection: Hear From CISO Jesse Whaley

---

No. 2: ICT-related incident management

There are two key steps for this pillar, which require financial entities to: 

• Record all ICT-related incidents and significant cyber threats
• Establish a framework to ensure consistent and integrated monitoring, handling, and follow-up of ICT-related incidents to address and document the root cause 

This pillar also requires financial institutions to:

• Put in place early warning indicators
• Establish procedures to identify, track, log, categorize and classify ICT-related incidents by priority, severity, and the criticality of the service impacted 
• Assign roles and responsibilities that need to be activated for different ICT-related incident types and scenarios as well as communications plans 
• Ensure senior management and the management body are informed of at least the major ICT-related incidents; explain the impact, response and additional controls to be established as a result

No. 3: Digital operational resilience testing 

This pillar requires a robust digital operational resilience testing program with a range of assessments, tests, methods, practices and tools. The appropriate tests should be conducted yearly on ICT systems and applications supporting critical or important features. 

No. 4: Management of ICT third-party risk

DORA requires financial institutions to manage ICT third-party risk as an integral component of ICT risk. This means: 

• Creating a strategy for ICT third-party risk
• Maintaining a register of information of all contracted parties to be updated as needed
• Ensuring third-parties comply with the high security standards and document any risks
• Mapping ICT third-party ICT dependencies
• Avoiding over-reliance on one provider or a group of small providers for critical or important functions 

Given the number of third-party entities organizations typically engage with, managing and maintaining visibility of third-party risks is increasingly challenging.

Note that financial institutions may only enter into contracts with third-parties that comply with appropriate security standards.

No. 5: Information-sharing arrangements 

This pillar focuses on the sharing of cyber threat information and intelligence among financial entities. This includes information about indicators of compromise, tactics, techniques and procedures as well as cyber security alerts and configuration tools. 

The goal is to raise awareness of cyber threats, limit or impede the spread of cyber threats, support defense capabilities, and mitigate risks.

Who oversees DORA?

Oversight of DORA is assigned to the three European Supervisory Authorities (ESA). This group includes the:

1. European Banking Authority (EBA) 
2. European Securities and Markets Authority (ESMA) 
3. European Insurance and Occupational Pension Authority (EIOPA) 

These authorities are tasked with monitoring critical financial industry entities. As such, they have the power to request information, conduct off-site investigations and on-site inspections, impose penalties, and issue recommendations.

What is the penalty for DORA non-compliance?

Under DORA, non-complying financial institutions may be fined up to 1% of the average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year. The exact fine will be determined based on the gravity and duration of non-compliance, the level of negligence and the level of cooperation with the Lead Overseer—the entity responsible for enforcing DORA as designated by the ESA.

How are financial organizations progressing?

A recent survey of European financial institutions and critical ICT third parties of financial institutions found that 94% of financial organizations were “fully engaged in understanding the detailed requirements of the legislation; most are doing so through a dedicated DORA program, with DORA as a board-level agenda item,” according to McKinsey. Around one third of financial institutions expressed confidence that they would be able to fulfill all DORA regulatory expectations by January 2025. 

Achieving operational resilience is a significant challenge for any organization, but particularly for those in the highly-regulated financial services industry. The pressure and complexity of regulatory demands and large, interconnected, intricate global systems serve as additional catalysts for DORA.

With just a few months left until organizations must comply with DORA, in-scope entities should be devoting significant resources—including full-time roles—to implementation. This is an opportunity for financial institutions to establish true operational resilience and gain a better understanding of third-party operations and the potential risks they create.