DORA deadline looms for finance sector and ICT suppliers

DORA will apply from 17th January 2025

With DORA arriving in January, three security experts give their view on the challenges facing the EU finance sector and its suppliers.

The EU Digital Operational Resilience Act (DORA) aims to strengthen the IT security of the financial sector in the bloc, including banks, insurance companies, payment service providers and investment firms. The goal is to ensure it is able to withstand serious disruption.

It includes measures to manage risk, including ICT third-party risk, and mandates operational monitoring and resilience testing of IT infrastructure. It also beefs up incident reporting requirements and seeks to improve information sharing about cyber threats.

DORA applies to more than 22,000 financial entities and ICT service providers operating within the EU, as well as the ICT infrastructure supporting them from outside the EU. UK-based financial organisations and IT providers serving EU clients will need to demonstrate compliance.

European Supervisory Authorities (ESAs) can impose fines of up to €10 million or 2% of global turnover on non-compliant organisations and individuals can be fined up to €1 million. Critical third-party ICT providers to financial entities can be fined up to €5 million, and individuals €500,000.

DORA will apply from 17th January 2025. It features a comprehensive and exacting set of rules and most businesses are highly unlikely to be compliant with all of them on that date.

“The reality is quite sobering,” said Rayna Stamboliyska, an EU Digital Ambassador and CEO of RS Strategy. “According to public communications and reports, only about a third of financial entities currently have a structured roadmap for DORA compliance.”

Stamboliyska spoke of “panic compliancy” as organisations realise the scale of the task at hand.

However, Crystal Morin, cybersecurity strategist at Sysdig, believes there will be some breathing space for companies to get their houses in order. “The vast majority of countries across the EU did not meet the deadline to get regulations into their statute books in time [for NIS2],” she pointed out. “I suspect that the same will happen in January.”

A shortage of capable professionals is one bottleneck, said Phil Skelton, business director, international at eSentire. “There’s currently a major skillset shortage around security and compliance, in part due to the influx of new regulations like DORA.”

DORA’s most challenging requirements

For most organisations in scope (financial organisations and their IT suppliers), the most challenging aspects will concern IT risk management integration and third-party risk management.

“Financial institutions must harmonise DORA requirements with their existing frameworks whilst ensuring comprehensive coverage of risk identification and response mechanisms,” said Stamboliyska.

“Third-party risk management aspect is particularly demanding due to the need for detailed assessments, comprehensive provider registers, and complex contractual negotiations.”

Organisations must also be able to show that they are following through on their findings, ensuring that their technology providers are compliant and remain so, and making changes if they are not. This will prove challenging for most financial firms, particularly smaller organisations who will likely need to invest in technology, cybersecurity provisions and expertise.

“Financial institutions often lack direct control over the internal processes of third parties and providers may resist giving full transparency into operational resilience and security strategies,” said Morin.

“These challenges arise from the sheer scale and complexity of modern-day third-party dependencies that often include cross-border relationships. Financial institutions will need to invest heavily long-term in the time and resources necessary to meet and maintain these DORA requirements.”

The need for continuous assessment

Compliance with DORA is not a one off. Organisations need to continually monitor third-party risk, including the financial health and security posture of suppliers. In addition, the organisation’s own resilience needs to be regularly tested, with an eye kept on regulatory changes.

“The key is to view DORA compliance as an ongoing programme integrated into business operations,” Stamboliyska said.

“And perhaps even more importantly, it is crucial to keep in mind why DORA exists: to ensure that the financial sector does not suffer a cyber-provoked cataclysm.

Skelton recommends setting up a dedicated team for monitoring DORA requirements and coordinating efforts across the organisation.

He suggests that organisations create an asset inventory and ensure it is kept up to date. “This should account for every device connected to your company’s network and help you spot potential issues with them, as well as issues with any other IT infrastructure that you have.”

Significant risks should be logged using governance, risk and compliance (GRC) tools as they arise, he went on, along with documentation on how to solve them. These will provide valuable evidence of intent to comply when the auditors come knocking.

Tools and strategies for supply chain resilience

GRC and third-party risk management (TPRM) tools both come into play when evaluating suppliers, but being able to adjust proactively to the changing landscape is more about effective strategy than new tools, added Morin.

“There are an overwhelming number of tools that can be used to manage third-party risk, resilience and oversight, but keep in mind that each addition to your tech stack snowballs your number of third-party and supply chain tools. Many of these capabilities, such as compliance monitoring or incident response and recovery, may also be integrated into other security tools you already use.”

Financial organisations should come to an agreement about the use of TPRM tools with their suppliers. This could be a vexed issue, and organisations need to think ahead, said Skelton.

“One question you will have to answer: if your third parties are not compliant, how far are you willing to go? Will you cut them off as a supplier? Do you have a process in place that mitigates potential risks from them, and do you have a migration plan in place, as well, that you will follow to change suppliers?”

Such decisions will depend on the relative importance of the supplier and how easy it would be to find an alternative. Contracts will need to be redrawn and frameworks modernised to include specific provisions for operational resilience and compliance monitoring, with investment in technology platforms and tools that allow real-time monitoring.

“The goal is to create a robust ecosystem where risks are identified and managed proactively rather than reactively,” said Stamboliyska.

What to watch out for

It would be a mistake to underestimate the importance of timely incident reporting and communication, under DORA, Stamboliyska said. For example, organisations must notify authorities no later than four hours after classifying an ICT incident as “major”, and within 24 hours of becoming are of it.

Meanwhile, Skelton advised those in scope to ensure sufficient budget has been allocated over the long term, and to avoid the temptation to hand responsibility for compliance over to consultants or unqualified third parties.

“Watch out for companies promising a free assessment or free tooling. There is no such thing as a free lunch around compliance.”

Be prepared to be resilient, have your contingencies in place, and be ready for audits, said Morin. “Buckle up, because it is going to be a wild ride.”