The clock has finally run down for financial firms racing to prepare for the EU’s Digital Operational Resilience Act, with the long-trailed legislation coming into force today.
DORA adds to a blizzard of tech-related legislation blowing in from Brussels. It comes just months after the EU’ Network and Information Systems Direct 2 (NIS2) regulations took effect. Tech leaders and compliance heads also must consider the impact of Brussels’ Digital Services Act, which kicked in last year, and the rolling implementation of the AI Act and the Cyber Resilience Act this year.
DORA aims to, in the EU’s words, strengthen “the IT security of financial entities such as banks, insurance companies and investment firms and mak[e] sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.”
It brings in explicit rules for a range of ICT/cybersec issues, including risk management, incident reporting, operational resilience, and third party products. Breaching the regs can mean penalties for firms of up to 2% of worldwide turnover, while individuals can be fined up to €1m. Third party suppliers can be hit with fines of up to €5m. Not reporting an ICT-related incident or threat can also lead to fines.
While the act came into fruition after the UK had exited the European Union, it’s still going to impact financial firms that operate in Europe, which means all but the most absurdly niche financial operators.
And if Brussels' regs don't get you, the UK's will. The Bank of England kicked off its own consultation on resiliency and reporting rules last month, explicitly flagging up the possibility of aligning with DORA.
Mitun Zavery, Vice President of Solution Architecture at supply chain security firm Sonatype, said following DORA was an opportunity for non-EU firms to clean up their systems and supply chains.
“If DORA becomes like GDPR, then prioritising compliance now will open doors as forms of this standard are adopted in the UK.”
Nevertheless, he predicted the same sort of “scramble to tick the compliance box as we did when GDPR came into force in 2018.”
While financial firms are explicitly required to understand their supply chains under DORA, the same should be good practice for any responsible firm, said Joe Vaccaro, Head of Cisco ThousandEyes. “Achieving digital resilience in the face of disruptions is a boardroom issue no matter what industry you’re in.”
But right now, that seems to be more of an aspiration than a reality for many firms.
Research amongst UK companies by UK-based consultancy Green Raven, showed that 43 percent of financial firms agreed with the statement, “Our supply chain feels like the weakest element of our cybersecurity regime”.
The firm’s CEO, Morten Mjels, said it was likely that all the financial firms surveyed interact with the EU, and were therefore subject to DORA. “The standout observation for me is not the 43% proportion itself. It’s that - after all the preparations for DORA that they must have done - so many of them still feel their supply chains are their weakest link.”
