Countdown to DORA: Five Key Steps to Avoid Penalties Come January 2025
This article has been supplied by the author and has not been written or solicited by Creamer Media. It may be available only for a limited time on this website.
By Darren Thomson, Field CTO EMEAI at Commvault
Given the complexity and interconnected nature of the financial services ecosystem, it’s hardly surprising that operational resilience remains under regulatory scrutiny and review. The consequences of isolated or systemic disruption to services, particularly due to cyberattacks, could be catastrophic, and authorities are quite rightly focused on both prevention and mitigation.
One of the consequences of these challenges is that from January 17th of next year, the EU’s Digital Operational Resilience Act (DORA) will come into force. Oversight activities begin and there are harsh financial penalties for non-compliance. The objective behind DORA is to strengthen “the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.”
On a practical level, it will harmonise the operational resilience rules across 20 different types of financial entities and ICT third-party service providers. These include the likes of credit and payment institutions, investment firms, crypto-asset services providers, organisations in the insurance and retirement sectors, and even crowdfunding services, among others.
The regulations require organisations to focus on a range of key areas. These range from ICT risk management (including third-party providers), digital operational resilience testing and incident reporting, to information sharing and the implementation of an oversight framework for critical third-party ICT providers. As such, they have the potential to have far-reaching consequences for financial entities and ICT providers who operate without the proper processes or controls in place.
As an EU law, DORA will not apply directly in the UK, but – in a similar way to GDPR – it is relevant to many UK-based financial entities or ICT providers that supply services to organisations in the EU. They need to abide by its rules, with violations potentially leading to penalties of up to 2% of total worldwide annual revenue, depending on the severity of each case. If GDPR enforcement is anything to go by, EU regulators are fully focused on the rules, with over €4 billion levied on organisations in breach of GDPR since 2018.
Planning for compliance
So, less than a year out from oversight activities commencing, what steps can organisations take to ensure they are compliant? There are five useful foundational points:
- Form cross-department teams to coordinate an organisational approach: Collaborate across departments like IT, cybersecurity, compliance, risk, and legal to develop a comprehensive understanding of DORA's implications.
- Secure leadership buy-in: Ensure senior management understands and supports DORA's importance, which can influence resource allocation and urgency in compliance efforts.
- Assess current processes and vulnerabilities: Identify gaps between existing security measures and DORA requirements to proactively address weaknesses.
- Update resilience objectives: Establish clear and actionable objectives aligned with DORA, allowing for prioritisation of compliance activities and investment.
- Monitor regulatory updates: Stay informed about changes to DORA regulations and adjust compliance strategies accordingly, focusing on continual gap analysis and investment prioritisation.
In an environment where regulations play an increasing role in determining the direction of cybersecurity strategy, it’s vital that organisations hone their approach to compliance in general. Doing so opens up the prospect of a win-win whereby digital security and resilience are given the emphasis they deserve, and fewer organisations fall victim to serious breaches. What’s almost certain, however, is that at some point in 2025 the first DORA-related enforcement action will be announced. Organisations that prepare now can minimise their chances of making the wrong kind of headlines.
Comments
Press Office
Announcements
What's On
Subscribe to improve your user experience...
Option 1 (equivalent of R125 a month):
Receive a weekly copy of Creamer Media's Engineering News & Mining Weekly magazine
(print copy for those in South Africa and e-magazine for those outside of South Africa)
Receive daily email newsletters
Access to full search results
Access archive of magazine back copies
Access to Projects in Progress
Access to ONE Research Report of your choice in PDF format
Option 2 (equivalent of R375 a month):
All benefits from Option 1
PLUS
Access to Creamer Media's Research Channel Africa for ALL Research Reports, in PDF format, on various industrial and mining sectors
including Electricity; Water; Energy Transition; Hydrogen; Roads, Rail and Ports; Coal; Gold; Platinum; Battery Metals; etc.
Already a subscriber?
Forgotten your password?
Receive weekly copy of Creamer Media's Engineering News & Mining Weekly magazine (print copy for those in South Africa and e-magazine for those outside of South Africa)
➕
Recieve daily email newsletters
➕
Access to full search results
➕
Access archive of magazine back copies
➕
Access to Projects in Progress
➕
Access to ONE Research Report of your choice in PDF format
RESEARCH CHANNEL AFRICA
R4500 (equivalent of R375 a month)
SUBSCRIBEAll benefits from Option 1
➕
Access to Creamer Media's Research Channel Africa for ALL Research Reports on various industrial and mining sectors, in PDF format, including on:
Electricity
➕
Water
➕
Energy Transition
➕
Hydrogen
➕
Roads, Rail and Ports
➕
Coal
➕
Gold
➕
Platinum
➕
Battery Metals
➕
etc.
Receive all benefits from Option 1 or Option 2 delivered to numerous people at your company
➕
Multiple User names and Passwords for simultaneous log-ins
➕
Intranet integration access to all in your organisation