In January 2025, European financial and insurance institutions, their business partners and providers, must comply with DORA.
In January 2025, financial and insurance institutions in Europe and any organizations that do business with them must comply with the Digital Operation Resilience Act, also known as DORA. This regulation from the European Union (EU) is intended to both strengthen IT security and enhance the digital resilience of the European financial market. Much like GDPR, this act promises to exert significant influence on the activities of organizations around the world. Its official launch date of January 17, 2025, means there are some pretty stringent deadlines.
Can this be done? Will organizations be ready? These were questions posed in a recent podcast with guest Romain Deslorieux, Strategic Partners Director, Global System Integrators at Thales. He suggested that it might be a “tough call for any organization to follow and to reach as a compliance deadline.” But he also pointed out that the European Supervisory Authority (ESA) is busy defining some of the regulatory technical standards that will provide precise and technical guidelines for organizations to follow. He added that most financial entities have already started to investigate DORA, including defining a roadmap, although it may be time for them to accelerate these activities.
Companies that operate in the world of finance and insurance are no strangers to broad regulations, both internal and international. Still, DORA is a reminder of just how agile they must remain, given that speed is all around them. The incredible rate at which AI technologies were discovered and embraced by end users and then deployed into workplaces everywhere shows just how difficult it can be for an organization to keep on a safe and even keel. The challenge doubles when we factor in the relentless creativity and determination of a criminal element that is always keen to exploit new technologies before adequate safeguards are implemented.
Third-Party Risk
Perhaps one of the most striking elements of DORA is its focus on third-party risk management, which is one of its key pillars. Additional podcast guest Mark Hughes, Global Managing Partner, Cybersecurity Services, IBM Consulting, pointed out how events such as Colonial Pipeline clearly showed how a single piece of a supply chain can have a disproportionate impact on all the other parts. He says this is why DORA places such focus on third-party risk management – not just in conducting risk assessments but also monitoring them.
In a single word, the DORA initiative is about resilience. That’s what the “R” stands for, after all. It’s an updated effort to enhance a fortress while still allowing the free movement of the vital data that keeps economies going.
Sticking with the supply chain in the context of resilience, Romain suggests we take a lesson from cloud technology. Cloud systems and services, he says, represent an essential part of operational resilience, and being a central point of an organization’s data, they must remain up and available. Yet, at the same time, they are also subject to challenges of territoriality in terms of where data can be stored, where the most influential cloud organizations come from, and how sovereignty can be maintained.
The Resilience Clock Is Ticking
The fact is there’s not much time for companies to get their various ducks in a row. Therefore, financial organizations based in Europe that will be at the forefront of compliance preparation must fully assess their current digital systems and processes to find vulnerabilities and resilience gaps. They must also strengthen cybersecurity measures, including encryption, firewalls, and regular security audits, and have incident response plans in place. The same type of requirements should be made for operational risk management and business continuity planning, both of which help ensure they can maintain critical operations in the event of disruptions or cyberattacks.
Strategic activities to be built into this very short timeline include ongoing vigilance of DORA itself within an evolving regulatory landscape, increased or improved collaboration and information sharing, investment in technology and talent, and improved board oversight and governance.
Organizations based outside the areas where DORA directly applies (most of Europe plus Iceland and Norway), should also ensure they understand DORA Requirements and open communication channels with their European partners. In addition to staying informed, they may also consider adopting other internationally recognized cybersecurity and operational resilience standards and frameworks, such as ISO 27001 for information security management and ISO 22301 for business continuity management.
It is virtually guaranteed that similar sets of regulations will be imposed by other economic areas of the world, creating challenges for companies either in finance or working with them. This promises to generate sets of economic blocks at the same time as it opens new areas of commerce. However, these changes are best seen as opportunities to finetune an organization’s information security systems and to reaffirm relationships with vendors and experts to ensure continued security and compliance.
About the author: Steve Prentice
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Europe financial industry)