https://newsletter.en.creamermedia.com
Environment|Financial|Risk Management|SECURITY|Service|Services|Testing
Environment|Financial|Risk Management|SECURITY|Service|Services|Testing
environment|financial|risk-management|security|service|services|testing

Countdown to DORA: Five Key Steps to Avoid Penalties Come January 2025

3rd July 2024

     

Font size: - +

This article has been supplied.

By Darren Thomson, Field CTO EMEAI at Commvault

Given the complexity and interconnected nature of the financial services ecosystem, it’s hardly surprising that operational resilience remains under regulatory scrutiny and review. The consequences of isolated or systemic disruption to services, particularly due to cyberattacks, could be catastrophic, and authorities are quite rightly focused on both prevention and mitigation.

One of the consequences of these challenges is that from January 17th of next year, the EU’s Digital Operational Resilience Act (DORA) will come into force. Oversight activities begin and there are harsh financial penalties for non-compliance. The objective behind DORA is to strengthen “the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.”

On a practical level, it will harmonise the operational resilience rules across 20 different types of financial entities and ICT third-party service providers. These include the likes of credit and payment institutions, investment firms, crypto-asset services providers, organisations in the insurance and retirement sectors, and even crowdfunding services, among others. 

The regulations require organisations to focus on a range of key areas. These range from ICT risk management (including third-party providers), digital operational resilience testing and incident reporting, to information sharing and the implementation of an oversight framework for critical third-party ICT providers. As such, they have the potential to have far-reaching consequences for financial entities and ICT providers who operate without the proper processes or controls in place.

As an EU law, DORA will not apply directly in the UK, but – in a similar way to GDPR – it is relevant to many UK-based financial entities or ICT providers that supply services to organisations in the EU. They need to abide by its rules, with violations potentially leading to penalties of up to 2% of total worldwide annual revenue, depending on the severity of each case. If GDPR enforcement is anything to go by, EU regulators are fully focused on the rules, with over €4 billion levied on organisations in breach of GDPR since 2018.

Planning for compliance

So, less than a year out from oversight activities commencing, what steps can organisations take to ensure they are compliant? There are five useful foundational points:

  • Form cross-department teams to coordinate an organisational approach: Collaborate across departments like IT, cybersecurity, compliance, risk, and legal to develop a comprehensive understanding of DORA's implications.
  • Secure leadership buy-in: Ensure senior management understands and supports DORA's importance, which can influence resource allocation and urgency in compliance efforts.
  • Assess current processes and vulnerabilities: Identify gaps between existing security measures and DORA requirements to proactively address weaknesses.
  • Update resilience objectives: Establish clear and actionable objectives aligned with DORA, allowing for prioritisation of compliance activities and investment.
  • Monitor regulatory updates: Stay informed about changes to DORA regulations and adjust compliance strategies accordingly, focusing on continual gap analysis and investment prioritisation. 

In an environment where regulations play an increasing role in determining the direction of cybersecurity strategy, it’s vital that organisations hone their approach to compliance in general. Doing so opens up the prospect of a win-win whereby digital security and resilience are given the emphasis they deserve, and fewer organisations fall victim to serious breaches. What’s almost certain, however, is that at some point in 2025 the first DORA-related enforcement action will be announced. Organisations that prepare now can minimise their chances of making the wrong kind of headlines.

 

 

Edited by Creamer Media Reporter

Comments

 

Showroom

Willard
Willard

Rooted in the hearts of South Africans, combining technology and a quest for perfection to bring you a battery of peerless standing. Willard...

VISIT SHOWROOM 
Flameblock
Flameblock

FlameBlock is a proudly South African company that engineers, manufactures and supplies fire intumescent and retardant products to the fire...

VISIT SHOWROOM 

Latest Multimedia

sponsored by

Magazine round up | 13 December 2024
Magazine round up | 13 December 2024
13th December 2024

Option 1 (equivalent of R125 a month):

Receive a weekly copy of Creamer Media's Engineering News & Mining Weekly magazine
(print copy for those in South Africa and e-magazine for those outside of South Africa)
Receive daily email newsletters
Access to full search results
Access archive of magazine back copies
Access to Projects in Progress
Access to ONE Research Report of your choice in PDF format

Option 2 (equivalent of R375 a month):

All benefits from Option 1
PLUS
Access to Creamer Media's Research Channel Africa for ALL Research Reports, in PDF format, on various industrial and mining sectors including Electricity; Water; Energy Transition; Hydrogen; Roads, Rail and Ports; Coal; Gold; Platinum; Battery Metals; etc.

Already a subscriber?

Forgotten your password?

MAGAZINE & ONLINE

SUBSCRIBE

RESEARCH CHANNEL AFRICA

SUBSCRIBE

CORPORATE PACKAGES

CLICK FOR A QUOTATION







sq:0.214 0.302s - 197pq - 2rq
Subscribe Now