What is the EU Digital Operational Resilience Act? DORA, explained

Financial services firms and their digital technology providers are under enormous pressure to comply with strict new EU rules that require them to be more cyber resilient.

By early next year, financial services firms and their technology suppliers must ensure they comply with a new European Union law known as DORA (Digital Operational Resilience Act).

CNBC tells you everything you need to know about DORA, including what it is, why it matters and what banks are doing to prepare.

DORA obliges banks, insurance companies and investors to strengthen their IT security. The EU regulation also aims to ensure that the financial services industry is resilient in the event of a serious disruption.

Such disruptions could include, for example, a ransomware attack that shuts down a financial company’s computers or a distributed denial of service (DDOS) attack that causes a company’s website to go offline.

The regulation is also intended to help companies avoid major outages, such as the historic IT breakdown last month caused by a cyber company. CrowdStrike when a simple software update from the company caused Microsoft’s Windows operating system to crash.

Numerous banks, payment service providers and investment companies – from JPMorgan Chase And SantanderTo Visa And Charles Schwab — were unable to provide service due to the outage. These companies needed several hours to restore service to consumers.

In the future, such an event would be the type of service interruption that would be subject to closer scrutiny under the new EU rules.

Mike Sleightholme, president of fintech company Broadridge International, points out that one of the outstanding features of DORA is that the project not only focuses on what banks are doing to ensure their resilience, but also takes a close look at the companies’ technology suppliers.

Under DORA, banks are required to conduct rigorous IT risk management, incident management, classification and reporting, test their digital operational resilience, share information and intelligence related to cyber threats and vulnerabilities, and take measures to manage third-party risks.

In future, companies will have to carry out an assessment of the “concentration risks” associated with outsourcing critical or important operational functions to external companies.

These IT providers often provide “critical digital services” to their customers, says Joe Vaccaro, general manager of Cisco-owned Internet quality monitoring company ThousandEyes.

“These third-party vendors now need to be part of the testing and reporting process, which means financial services firms need to adopt solutions that help them uncover and map these sometimes hidden vendor dependencies,” he told CNBC.

Banks also need to “expand their ability to ensure the delivery and performance of digital experiences not only across the infrastructure they own, but also across the infrastructure they do not own,” Vaccaro added.

DORA came into force on 16 January 2023, but the rules will not be enforced by EU member states until 17 January 2025.

The EU has prioritized these reforms because the financial sector has become increasingly dependent on technology and technology companies to provide key services. This has made banks and other financial services providers more vulnerable to cyberattacks and other incidents.

“There is a lot of focus right now on third-party risk management,” Sleightholme told CNBC. “Banks are using third-party providers for important parts of their technology infrastructure.”

“Improved recovery time objectives are an important part of this. It’s really about security around technology, with a particular focus on cybersecurity recovery after cyber events,” he added.

Many EU digital policy reforms in recent years tend to focus on the obligations of companies themselves to ensure that their systems and frameworks are robust enough to protect against harmful events such as the loss of data by hackers or unauthorized individuals and companies.

For example, the EU General Data Protection Regulation (GDPR) requires companies to process personal data only with their consent and to have sufficient safeguards in place to minimize the risk of disclosure of that data in the event of a security breach or data leak.

DORA will place a greater focus on banks’ digital supply chain – which represents a new, potentially less pleasant legal dynamic for financial firms.

EU authorities can impose fines of up to two percent of their annual global turnover on financial companies that violate the new rules.

Individual managers can also be held liable for violations. Fines for individuals in financial firms can be up to one million euros ($1.1 million).

Regulators can impose fines of up to 1% of the average daily global turnover of the previous financial year on IT providers, and companies can be fined daily for up to six months until they comply.

External IT companies classified as “critical” by EU regulators could be fined up to five million euros – or a maximum of 500,000 euros in the case of individual managers.

This is slightly less stringent than a law like the GDPR, which can fine companies up to 10 million euros ($10.9 million) or 4 percent of their annual global turnover, whichever is higher.

Carl Leonard, EMEA cybersecurity strategist at security software company Proofpoint, stresses that criminal sanctions can vary from member state to member state, depending on how each EU country applies the rules in its respective markets.

DORA also calls for a “proportionality principle” in punishing violations of the law, Leonard added.

This means that any response to regulatory failures must balance the time, effort and cost companies will have to invest in improving their internal processes and security technologies against the importance of the services they offer and the data they seek to protect.

Stephen McDermid, EMEA security chief at cybersecurity firm Okta, told CNBC that many financial services firms are prioritizing leveraging existing internal operational resilience and third-party risk programs to become DORA compliant and “identify any gaps.”

“The intention of DORA is to bring together many existing governance programmes under a single supervisory authority and harmonise them across the EU,” he added.

Fredrik Forslund, vice president and general manager of international operations at data cleansing company Blancco, warned that while banks and technology providers have made progress in complying with DORA, there is still “a lot of work to be done.”

On a scale of one to ten – with one being non-compliance and ten being full compliance – Forslund said: “We are at 6 and are striving to get to 7.”

“We know we need to be at 10 by January,” he said, adding that “not everyone will be ready by January.”