Explore our latest thought leadership, ideas, and insights on the issues that are shaping the future of business and society.
Your Challenges
We help smooth the transition to new business and operating models, taking the learnings from one industry and applying it to our work across others.
Your challenges
We believe in a better working world, where technology improves our working lives.
OUR CULTURE
Follow Us
Work with us
To view this video please enable JavaScript, and consider upgrading to a web browser that
Home Insights Resources Be DORA Ready: DORA Compliance Checklist
The enforcement date for the Digital Operational Resilience Act (DORA) regulation is fast approaching – January 17, 2025.
Financial institutions across the European Union must be prepared for the upcoming changes, using tools like a DORA compliance checklist, as the act seeks to improve the digital resilience of financial entities against cyber threats.
Does the industry need this? Absolutely. According to the IBM Cost of a Data Breach Report 2023, financial institutions rank second in the global cyber attack damage statistics, with losses amounting to approximately $5.9 million per cyber attack in 2023. The average across all industries is $4.45 million. The report also shows that there were twice as many cyber attacks on financial institutions in 2023 compared to 2022.
DORA is a regulatory framework established by the European Union (EU) to strengthen digital resilience in financial institutions. It aims at making these entities able to withstand, respond to, and recover from various IT-related disruptions and risks. It forms part of wider efforts to enhance cyber security, including security testing and sound operation within Europe’s finance sectors.
DORA should also deal with the increasing complexity and interdependence of digital systems underpinning financial services. It helps ensure uniform standards among member states, guaranteeing high levels of protection and continuity of operations.
The requirements are stringent. Financial institutions must re-engineer their internal processes and systems, creating a more resilient and secure environment. Overall objectives include establishing a solid framework that reduces risk and enhances trust and stability within an evolving digital threat landscape.
DORA applies to most financial institutions, including banks and credit unions, insurance providers, investment firms, fintech companies, etc. If it’s a financial institution, chances are high that DORA applies to it. Third-party IT providers supporting these companies must also follow DORA compliance regulations. It’s the entire financial ecosystem.
DORA complements existing EU cybersecurity regulations, such as the GDPR and NIS2 Directive – both the GDPR and NIS2 Directive are legal measures that boost cybersecurity in the EU.
It complements DORA by providing broader cybersecurity and data protection guidelines applicable across the EU. The GDPR focuses on protecting personal data and privacy so financial institutions can engage in responsible, transparent information management. NIS2, however, emphasises the robustness of cyber security areas and incident reporting for essential entities.
To establish a cohesive, comprehensive cybersecurity approach, financial institutions must integrate their efforts to comply with DORA to ensure it aligns with GDPR and NIS2. It’ll ensure all aspects of data protection, cyber security, and operational resilience are covered, creating a holistic framework for digital threat management and regulatory compliance.
On January 16, 2023, DORA officially became active. Organisations have two years to realign themselves with the new requirements, ensuring full DORA compliance by January 17, 2025. To this effect, European supervisory authorities have been developing regulatory technical standards (RTS), which provide comprehensive guidelines for compliance that our DORA checklist follows.
Within the regulatory technical standards are five essential pillars:
Institutions must establish a comprehensive IT risk management framework/s. These involve ongoing monitoring, identifying potential cyber threats, and deploying appropriate cyber security measures. Regular assessments and updates are essential for effective risk management purposes.
Companies must promptly report any significant ICT-related incidents to their respective regulators. It aims to improve understanding of IT risks across the financial sector and promote a coordinated response mechanism for incidents.
Entities must regularly test their digital operational resilience abilities against IT disruptions. That includes performing Threat-Led Penetration Testing (TLPT) that emulates cyberattacks and assesses how robustly the cyber security defences are designed.
Third-party IT service providers should be closely monitored with due diligence, following DORA regulations. To minimise the chances of their disruption and breaches, these providers should be subjected to proper risk management processes by finance firms.
Sharing information about cyber threats with different financial entities helps improve overall robustness within the industry. It’ll also assist in detecting threats more efficiently and addressing them more effectively. Cooperatively, this facilitates easy detection and protection against responding to or reacting to any attack.
As the enforcement date for the Digital Operational Resilience Act (DORA) approaches, financial institutions must not only comply with regulatory requirements but also be prepared for potential crises that could disrupt their operations. Effective crisis management is a critical component of digital resilience, enabling organisations to respond to and recover from cyber attacks or other operational disruptions swiftly and efficiently.
A robust crisis management plan includes clear procedures for handling:
Organisations must be prepared to face regulators, legal challenges, the press, customers, suppliers, and possibly the general public, depending on their industry.
To modernise the approach to crisis management, Acora, in partnership with Immersive Labs, offers a comprehensive platform that manages all elements of a crisis simulation. This platform enables businesses to conduct engaging and contextualised crisis management sessions with executive teams, ensuring that everyone understands their roles and responsibilities.
Running regular crisis management simulations provides several benefits:
To aid your understanding of the intricate provisions of DORA, this is a comprehensive DORA compliance checklist you can use to ensure compliance:
Delineate Scope and Applicability
Breaking DORA rules can result in huge fines, revoked permission to operate, and public reprimands that institutions can avoid with the DORA checklist. Financial penalties could be a serious deal, with potential fines amounting to as much as 1% of the average daily worldwide turnover of the previous year, which was $3,117 billion in April 2023. And – non-compliance leads to reputational damage, loss of customer trust, and increased exposure to cyber risks.
The consequences of failing to meet DORA compliance requirements go beyond immediate financial losses. Regulatory authorities may continuously examine these institutions, diverting their attention and resources from core business operations. The result? Legal challenges and the possibility of civil litigation only add to the costs and complexities associated with non-compliance.
Ignoring DORA also strains partners’ relationships, including stakeholders, who depend on robust cybersecurity practices in a financially interconnected ecosystem.
Complying with DORA is paramount for EU-based financial entities. It protects against regulatory penalties and enhances its overall security posture. Financial institutions can finally be resilient to emerging IT threats in the finance sector. Do you feel DORA ready with our DORA complaint checklist?
Disruptive Technologies in Business: GenAI & Knowledge Work In the fast-paced world of business, staying ahead means embracing the cutting edge. Enter Generative Artificial Intelligence (GenAI) — the game-changer that’s redefining how we work. Imagine a workplace where mundane tasks…
A Chief AI Officer’s Toolkit in Workday Optimisation Generative AI has rapidly emerged as a transformative force within the professional landscape, offering unprecedented efficiency and innovation across various industries. Since OpenAI hit the scene with ChatGPT in November 2022, countless…