DORA takes effect: Three critical steps for financial institutions
Dezember 26, 2024 / Éva Nagyfejeő
Short on time? Read the key takeaways:
- The Digital Operational Resilience Act (DORA) applies to all financial institutions in the European Union. The act safeguards against financial losses and economic challenges caused by digital disruptions.
- Financial institutions and their key ICT third-party service providers must comply by January 2025.
- Compliance involves establishing robust ICT risk management frameworks, incident response mechanisms, and continuous governance, risk, and compliance practices to withstand, respond to, and recover from digital disruptions, ensuring operational continuity.
- While there is an upfront cost for implementation, DORA offers a strategic opportunity for organizations to strengthen resilience, enhance protection, and gain a significant operational advantage.
With critical new financial regulations coming into effect in January 2025, digital outages could expose financial entities to significant liabilities and, eventually, financial losses.
With cyber threats intensifying, traditional security measures like perimeter monitoring and basic incident response protocols are no longer sufficient to safeguard against operational disruption. The European Union's Digital Operational Resilience Act (DORA) came into force in January 2023, and is due to be implemented by all relevant institutions by January 2025. This legislation establishes new standards for the financial sector across the EU, aiming to safeguard against potentially disastrous economic consequences caused by digital outages.
DORA will help to ensure that financial entities and their Information and Communication Technology (ICT) service providers can withstand, respond to, and recover from digital disruptions. While it applies primarily to banks, insurers, and investment firms, DORA extends to companies offering financial services as part of a broader business. This includes leasing services, insurance companies, payment service providers, investment funds, credit rating agencies, and crowdfunding platforms. DORA is not limited to European entities; it also applies to relevant non-EU businesses with branches in the EU and needs to be also taken into account by non-EU entities rendering services to financial entities based in the EU. DORA’s extensive scope acknowledges the fact that a single vulnerability in any entity — including an overseas third party — could trigger a domino effect, potentially disrupting entire sectors of the economy.
DORA is a double-edged sword for organizations. While it represents a significant and costly challenge, particularly due to its impact on third-party ICT providers, it also offers a strategic advantage. By meeting these regulatory requirements, financial entities are equipped with stronger protections and enhanced operational efficiency, ultimately strengthening their resilience.
More than a regulation
While DORA adds new ICT obligations to organizations, it bolsters institutional resilience and cybersecurity at a level that organizations would be well advised to pursue anyway. DORA can serve as a catalyst for digital transformation that can protect an institution's assets and increase its operational efficiency. It protects from newsworthy catastrophes and prompts organizations to innovate in three key areas.
- ICT risk management and governance
DORA mandates that financial entities have a robust ICT risk management framework, ensuring that all digital assets are safeguarded. Organizations must map out their critical assets and ensure that they have a strategy to protect, respond to and recover from incidents. This is about satisfying regulators and fostering a culture of digital resilience that permeates the entire organization.
- Third-party risk management
One of DORA’s key pillars is ensuring that financial institutions adequately manage risks related to their third-party ICT providers. This is a crucial consideration for any organization that outsources critical ICT functions. Unisys can help businesses assess and monitor other third-party risks while maintaining operations.
- Incident reporting and business continuity
Financial entities are required to report major ICT incidents within stringent timeframes, ensuring transparency with both regulators and clients. This presents an opportunity for organizations to enhance their incident management capabilities with a service provider's help, ensuring compliance and rapid recovery from potential disruptions.
Unisys and DORA: an ideal match
DORA strengthens Unisys’ ability to provide our clients with the utmost security and operational efficiency, as a third-party ICT service provider to financial organizations with financial interests in the EU. We are committed to helping our clients meet DORA requirements and achieve higher levels of protection and resilience. But the time to act is now.
Organizations impacted by DORA need support throughout the entire process, from understanding its scope to implementing robust risk management frameworks, incident response strategies, and ongoing governance, risk and compliance (GRC) programs — all before the January 2025 deadline. We recognize that our clients require a clear roadmap and comprehensive resources to ensure they stay on track with their DORA implementation efforts.
Preparing for DORA
With the January 2025 deadline upon us, organizations must prepare now. Meeting these regulations takes time and effort. Organizations must review their ICT risk management frameworks and incident reporting processes, assess third-party relationships, and understand their role in the broader digital ecosystem. Many institutions are building in-house capabilities by hiring specialized staff to address DORA's requirements, while others are opting to partner with expert providers who offer extensive experience and a proven track record. No matter the approach, we recommend the following steps:
- Review and discuss: Hold discussions with leadership teams to understand DORA’s relevance. Understand the regulation inside and out and recognize how each requirement may apply to the organization and what resources are needed to make that happen in time.
- Assess impact: Evaluate how DORA applies to client relationships and decide on a strategy. Where are the most changes required? Which areas would be the hardest to transition? What is the overall strategy for that implementation? Who will oversee it long-term?
- Engage for assistance: Identify areas where external expertise will be most valuable. Is it during the planning and strategy phase? Implementation? Ongoing governance and risk management? Consider how you will ensure continuous compliance in the long term and where bringing in an expert can offer the most efficiency.
The DORA Advantage
At Unisys, we view DORA as an operational advantage, not just an obligation. DORA’s security framework can potentially save an organization millions, if not billions, of dollars. Financial institutions with this level of threat protection earn trust with potential customers and partners, protect their reputation and avoid catastrophic losses. We can increasingly expect other industries and regions to adopt similar regulations. While DORA may accelerate the timeline for organizations to implement necessary changes, at Unisys, we believe these regulations are timely and essential for building resilience and ensuring long-term operational stability.
Find out how Unisys can help you meet and exceed DORA’s requirements.