Given the complexity and interconnected nature of the financial services ecosystem, it’s hardly surprising that operational resilience remains under regulatory scrutiny and review. The consequences of isolated or systemic disruption to services, particularly due to cyberattacks, could be catastrophic, and authorities are quite rightly focused on both prevention and mitigation.
One of the consequences of these challenges is that from 17 January 2025, the EU’s Digital Operational Resilience Act (DORA) will come into force. Oversight activities begin and there are harsh financial penalties for non-compliance. The objective behind DORA is to strengthen “the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.”
On a practical level, it will harmonise the operational resilience rules across 20 different types of financial entities and ICT third-party service providers. These include the likes of credit and payment institutions, investment firms, crypto-asset services providers, organisations in the insurance and retirement sectors, and even crowdfunding services, among others.
The regulations require organisations to focus on a range of key areas. These range from ICT risk management (including third-party providers), digital operational resilience testing and incident reporting, to information sharing and the implementation of an oversight framework for critical third-party ICT providers. As such, they have the potential to have far-reaching consequences for financial entities and ICT providers who operate without the proper processes or controls in place.
“As an EU law, DORA will not apply directly in the UK or outside Europe, but – in a similar way to GDPR – it is relevant to many outside EU based financial entities or ICT providers that supply services to organisations in the EU”, Darren Thomson, Field CTO EMEAI at Commvault Told EngineerIT. “They need to abide by its rules, with violations potentially leading to penalties of up to 2% of total worldwide annual revenue, depending on the severity of each case. If GDPR enforcement is anything to go by, EU regulators are fully focused on the rules, with over €4 billion levied on organisations in breach of GDPR since 2018.
In an environment where regulations play an increasing role in determining the direction of cybersecurity strategy, it’s vital that organisations hone their approach to compliance in general. Doing so opens the prospect of a win-win whereby digital security and resilience are given the emphasis they deserve, and fewer organisations fall victim to serious breaches. What’s almost certain, however, is that at some point in 2025 the first DORA-related enforcement action will be announced. Organisations that prepare now can minimise their chances of making the wrong kind of headlines.”