DORA – The EU regulation shaping the future of financial institutions’ cybersecurity

Search
Close this search box.
Back to blog
DORA The EU regulation shaping the future of financial institutions cybersecurity – Part 1 Banner

DORA – The EU regulation shaping the future of financial institutions’ cybersecurity

Posted by

Sirsha Dey

Financial institutions (FIs) manage a lot of sensitive data, which makes this domain a gold mine for cybercriminals. This is why it’s understandable that FIs spend millions of dollars each year on cybersecurity products and services.

According to McKinsey, annual spending on cybersecurity in the financial services industry is expected to increase over the next 2-3 years. Besides, 70% of companies value financial compliance and security against external threats.

However, even after allocating sufficient capital, the lack of operational resilience regarding Information and Communication Technology (ICT) can still harm the financial system. This is the threat gap that DORA aims to fill.

Short for Digital Operational Resilience Act, DORA is the EU’s latest regulation, which is effective from the 17th of January 2025. This regulation provides a comprehensive framework for operational resilience and risk management in the financial sector.

In the first part of this blog series, let’s understand:

  • What is DORA?
  • Who needs to comply with DORA – and the scope of this regulation?
  • Why do organizations need to comply with DORA?
  • Why must FIs comply with DORA?

What exactly is DORA?

Simply put, DORA is the EU’s cybersecurity blueprint (or guideline) for FIs to implement to safeguard their systems from ICT-focused incidents. With this regulation, FIs are expected to comply with the following requirements:

  • Comprehensive ICT risk management
  • Voluntary reporting of any major ICT-related incident
  • On-time reporting of any security or payment-related incidents to the concerned authorities
  • Regular resilience testing of their operational systems
  • Sharing of cybersecurity information and intelligence

DORA applies to all EU-based financial institutions, including banks, investment firms, and trading platforms.

With the application of the DORA regulation, FIs in the EU can standardize their requirements for cybersecurity and operational resilience by applying the following best practices:

  1. Build and deploy robust systems and processes that can withstand and respond to operational threats in the form of cyberattacks and system failure.
  2. Augment the protection of sensitive customer data using effective cybersecurity measures.
  3. Create a uniform standard of cybersecurity practices across all financial entities operating in the EU.
  4. Empower supervising authorities to monitor and evaluate the operational resilience of companies – and take appropriate actions to mitigate any issues or flaws.

Now that you are familiar with the basics of DORA, let’s understand the scope of this regulation – and who is impacted by it.

Scope of DORA: Who Needs to Comply and What’s Covered?

As mentioned before, DORA applies to all financial institutions operating in the EU. This includes:

  • Traditional entities in the financial sector, including banks, credit institutions, and financial investment firms.
  • Non-traditional entities such as crowdfunding platforms and cryptocurrency service providers.
  • Third-party service providers – including cloud service providers and data centers – that enable the deployment of ICT systems and services for FIs.
  • Third-party information services including credit rating agencies and data analytics providers.

To comply with DORA regulations, these entities must fulfill the following requirements:

  1. Risk assessment and management
    FIs must develop a robust security risk assessment and management framework, which is fully integrated into their business strategy and processes.
  2. Business continuity
    This requirement entails that FIs must develop a business continuity plan to continue providing their business services in the event of a serious disruption.
  3. Incident reporting
    FIs must immediately report any security incident which can impact their business continuity or pose a larger threat to the overall financial system.
  4. Cybersecurity
    FIs must also adopt and implement effective cybersecurity measures that can prevent or mitigate cyber threats and data breaches.

With the inclusion of third-party risk management, DORA applies its requirements to FIs as well as third-party ICT service providers. This mandates that before outsourcing an important financial function to external service providers, FIs must evaluate contractual agreements that detail the following elements:

  • Security audits and accessibility requirements
  • Data integrity and security measures

Next, let’s understand why DORA is a game-changer for operational resilience in the financial sector.

Why DORA? Understanding the Need for This Regulation

With increasing risks to the EU’s financial domain, regulators are constantly under pressure to develop a highly resilient financial system. Among the latest incidents, the CrowdStrike outage caused financial damages of up to billions of dollars.

Thanks to its robust rule-based system, DORA can build operational resilience in the EU’s financial system. By complying with DORA, FIs are better prepared for risk management initiatives.

Before the introduction of DORA, risk management regulations in EU-based FIs focused simply on ensuring the companies had sufficient capital to manage the risks. Most of these regulations depended on general principles instead of specific technical norms. Without any standardization, each EU member defined their own guidelines and requirements. Most FIs found it challenging to navigate through these regulations.

DORA simplifies the process by providing a universal framework to manage ICT-related risks in the financial domain. Through harmonized regulations, DORA addresses all the gaps and conflicts caused by disparate regulations across Europe. With this shared set of rules, financial entities find it easier to comply with and improve the overall resilience of the financial system. 

With this level of consistency, DORA ensures that every complying FI is subject to the same regulatory standard. Next, let’s understand the importance of DORA – and why financial institutions in the EU must comply with it.

Why Compliance with DORA is Critical for Financial Institutions

Financial institutions can face severe consequences for non-compliance with the DORA regulation, including:

  • Administrative fines of up to €10 million – or 5% of their annual turnover.
  • Public reprimands from supervisory authorities that can damage the brand image.
  • Heavy compensations to customers or third-party companies resulting from a severe failure.
  • Loss or authorization to conduct business in the EU region.

While FIs can face these consequences because of non-compliance, DORA compliance can be beneficial in the following ways:

  1. Improved risk management
    By adhering to DORA regulations, FIs can now identify, assess, and mitigate any ICT-related risks. DORA provides a complete checklist to ensure that FIs are complying with all requirements related to risk management. Additionally, they need to implement effective risk management strategies to disrupt potential cyberattacks.
  2. Operational resilience
    FIs can boost their operational resilience by ensuring the continuity of their business operations during any disruption. They also need to continuously test their operational resilience and disaster recovery plans. DORA provides EU-based FIs with a standardized regulation that makes them more operationally resilient.
  3. Improved data security
    DORA improves data security by mandating strict data protection measures, which can ensure data security and integrity. FIs need to implement strict data governance frameworks to safeguard sensitive data like customer information. Besides, DORA can reduce the risks of data breaches.
  4. Organizational culture
    With DORA compliance, FIs can build a culture of security compliance across their teams. This culture fosters a proactive approach toward risk management and compliance. FIs can also adopt the industry’s best practices to ensure DORA compliance.

Conclusion: The Road Ahead for DORA Compliance

In data-critical industries like the financial sector, DORA is essential for building operational resilience across their IT infrastructure. As outlined in the first part of this blog series, DORA is crucial for FIs to standardize their cybersecurity measures across the EU.

In the following installment, let’s discuss how synthetic data is crucial for DORA implementation, along with the best organizational strategies for a successful DORA implementation.

As a trusted cloud partner for Google Cloud, Onix provides a host of cloud services to financial companies. Our Kingfisher tool can help generate synthetic data to test your AI systems and models. 

Reach out to us to know more or take our expert consultation.

Related blogs

The Importance of Ransomware Assessments - Onix

The importance of ransomware assessments

Read more
Blog-Redfin-How-digital-technology-is-powering-the-personal-home-buying-journey-Thumbnail

How digital technology is powering the personal home buying journey

Read more

Unlocking technology trends for 2025 and beyond

Read more
Generative AI – Driving the Next Innovation in Data Migration Blog Banner

The future of data migration fuelled by GenAI

Read more
Powering the next wave of home improvement with retail technology - Onix

Powering the next wave of home improvement with retail technology

Read more

10 reasons to modernize your legacy BI with Looker

Read more

Subscribe to stay in the know

Your trusted guide to everything cloud

No matter where you are on your journey, trusted Onix experts can support you every step of the way.

Learn more

Company

Solutions

Our IP

Partners

Resources