Today marks the deadline for compliance with the Digital Operational Resilience Act (DORA) in the EU.
DORA takes effect today, implementing a comprehensive framework aimed at enhancing Information and Communication Technology (ICT) risk management. In preparation for this regulation, banks have been restructuring their internal systems to meet compliance requirements, thereby increasing resilience and strengthening the security of personal data.
Grant Harper, global lead for financial services at ITRS, noted, “DORA comes at a time when scrutiny over operational resilience continues to intensify. Operational resilience is not just about ticking regulatory boxes; it’s about safeguarding reputation and maintaining trust in a competitive market.”
The banking sector has grown increasingly complex due to widespread digital transformation over the past decade. DORA seeks to establish explicit requirements related to cybersecurity, resilience, risk monitoring, and oversight.
Looking to the Future of DORA
Simon Treacy, a senior associate in financial regulation at Linklaters, highlighted some of the challenges surrounding DORA compliance: “A significant challenge is that the DORA rulebook is still not finalized. Firms will need to be prepared for last-minute changes, especially those affecting contracts with IT providers.”
Treacy added, “European legislators are still working on detailed rules related to subcontracting ICT services and threat-led penetration testing. We anticipate guidance from the European Commission regarding the scope of ‘ICT services’ under DORA, which could require firms to extend their implementation projects based on the final rulings.”
He emphasized that DORA compliance will be an ongoing process that continues to evolve daily based on each firm’s internal operations.
Research from Rubrik Zero Labs reveals that 47% of financial organizations in the UK have invested over one million euros in DORA preparations in the past two years, while 28% have spent between €501,000 and €1,000,000. The study also indicates that 46% of financial institutions view ransomware as the greatest security threat.
Carl Leonard, cybersecurity strategist EMEA at Proofpoint, remarked, “As we move past the deadline, organizations should not scale back their efforts. A critical—and often overlooked—aspect of maintaining resilience is continuous risk assessments, especially when integrating new technologies, services, or suppliers. Thorough due diligence and proactive risk evaluation are essential to prevent new vulnerabilities and uphold a strong security posture.”
Leonard emphasized the importance of maintaining fundamental security practices and “cyber hygiene” to keep pace while incorporating modern technologies, particularly AI-driven programs.
In December 2024, the World Federation of Exchanges (WFE) raised concerns with the European Commission regarding the potentially discriminatory impact of DORA rules.