DORA is coming. Are you ready?
5 steps you need to take to be prepared for next year’s deadline
DORA is set to transform the financial services sector by enhancing cybersecurity and operational resilience across the EU. Okta’s Stephen McDermid explains what DORA means for the finance sector and why many firms are turning to automation to manage the complex layers of regulation and compliance.
Financial services firms across Europe are counting down the months and days until DORA — the European Commission‘s Digital Operational Resilience Act — comes into force.
On 17th January 2025, the 24-month preparation period will end and all financial services companies will need to comply with DORA regulation.
What is DORA?
Introduced in response to increasing cyberthreats, DORA aims to ensure financial institutions can withstand, respond to, and recover from digital disruptions, safeguarding the broader financial system. DORA is designed to harmonise existing governance programmes under a single supervisory umbrella across the EU.
The impact of DORA
Having worked closely with financial services security teams and regulators, I’ve seen a shift in how firms approach cyber resiliency and safeguarding, particularly in light of the Digital Operational Resilience Act (DORA).
Today, there’s a necessary focus on minimising risk across digital supply chains. We need to ensure that management and governance are well prepared to address concerns around cyber safety, potential breaches, and vulnerabilities.
This is a big change, and it comes at the right time. Recent cybersecurity incidents highlight the critical risks associated with supply chain compromises and third-party access.
DORA is set to bring these issues into sharper focus for boards and CFOs, making it critical for them to have the right governance structures in place and, more importantly, the capability to respond effectively when incidents occur.
Complex layers of regulations to be managed
We live and operate in an increasingly complex regulatory environment. DORA is just one of several regulations coming down the line, including NIS2 and the Cyber Resilience Act (CRA). Managing compliance is a challenge, and businesses are now turning to automation to manage the growing burden of analysis, validation, and auditing required. In our recent Businesses at Work 2024 report, we saw the growth of data compliance tools hit 120% year on year.
How to move towards DORA compliance
When it comes to identifying key fault lines in their digital supply chains, companies increasingly recognise that while prevention is vital, it’s just as important to have robust testing and validation of controls in place. Incidents will happen, and the key to mitigating their impact lies in thorough preparation.
Here’s my advice on how to prepare for DORA compliance:
- Identify key suppliers and collaborate with them through scenario planning and simulations. Such efforts help organisations understand potential impacts and develop contingency plans.
- Continuously test and improve your contingency plans through data analysis and benchmarking against industry standards.
- Make sure you have operational resilience and third-party risk programmes in place. Align these existing programmes with DORA’s regulations and identify any gaps.
- Keep up with consultations and draft documents circulated in preparation for these Regulatory Technical Standards (RTS) requirements.
- Now is the time to engage with partners and peers to understand how others are meeting these challenges, facilitating knowledge sharing and collaboration.
Compliance is crucial
Financial institutions that fail to comply with DORA face heavy penalties, including fines, requirements to grant data access for investigation, and even mandates to halt operations.
For critical third-party providers serving financial services institutions, the stakes are equally high. Noncompliance could result in penalty payments of 1% of the provider's average daily worldwide turnover from the previous year, applied daily until compliance is achieved — for a maximum duration of six months.
And, of course, cyberattacks and breaches can negatively impact your investor confidence and market reputation. Confidence takes years to build but can be lost in an instant.
DORA represents a regulatory milestone for financial services firms, compelling you to take a more comprehensive and integrated approach to cyber resiliency and operational governance. Needless to say, DORA is stringent, but stringent for very good reasons. Whilst investment in DORA compliance may be large and require considerable resources, the repercussions of getting it wrong may be exponentially larger.
Find out more about Digital Identity and DORA
Digital Identity is central to DORA. To be DORA compliant, financial services organisations need to implement strong Identity management and authentication tools to improve access control and reinforce the security of operations and transactions. With an incredible 86% of web application attacks being traced back to compromised credentials, it’s easy to see why.
To find out how Digital Identity impacts DORA, your security, and the security of your customers, read the Okta whitepaper “The role of Digital Identity in DORA.”