DORA is coming: New EU regulation on security in the financial sector

published on 6 December 2024 I reading time approx. 3 minutes

The Digital Operational Resilience Act (DORA) aims to strengthen digital operational resilience in the financial sector. The EU regulation comes into force on January 17, 2025 and aims to ensure that financial companies and third-party ICT service providers in the EU are able to cope with and recover from cyberattacks and other ICT-related disruptions. ICT service providers are generally defined as those that offer services in the field of information and communication technologies (ICT).

Overview and general information on DORA

The aim of DORA is to provide an EU-wide harmonized framework for the management of cybersecurity and ICT risks in the financial sector. The regulation affects a wide range of financial companies and third-party ICT service providers in the EU, such as credit institutions, investment firms or institutions for occupational retirement provision, and covers the following key areas:

Financial organizations need to implement robust ICT risk management systems to identify and manage threats. This includes the development and implementation of strategies, policies and procedures.
Companies are required to classify and report ICT-related incidents. To this end, a system for detection, classification and reporting must be set up to enable the timely forwarding of relevant information to the authorities.
Regular testing, including Threat-led Penetration Testing (TLPT), is required to check the resilience of systems and processes against cyber attacks.
Companies must ensure that their third-party providers also meet the requirements of DORA by assessing and managing the ICT risks posed by third-party providers.
Third-party ICT service providers that are considered critical to the operational resilience of financial companies (such as cloud computing services or providers of data centers, network infrastructures and software-as-a-service solutions) must meet extensive ICT risk management requirements.

Implementation of DORA and risks of non-compliance

The implementation of DORA requires a structured approach, for which the support of experts is regularly advisable. The focus here is on reviewing and evaluating existing ICT systems and processes to ensure their suitability in light of the requirements of DORA and to systematically identify and implement any adaptation requirements. In this way, companies can strengthen their resilience to digital threats while minimizing regulatory risks, as non-compliance with DORA can lead to serious consequences. Companies can then be fined substantial amounts or forced by the authorities to temporarily cease certain activities. In addition, violations can also be made public, which can lead to reputational damage and ultimately entail the risk of a lasting loss of trust.

Conclusion

DORA creates an EU-wide harmonized framework for the management of cybersecurity and ICT risks in the financial sector. As a result, financial companies must implement robust ICT risk management systems, regularly test resilience and ensure that their third-party providers also comply with DORA requirements. Breaches of DORA can lead to significant financial and reputational consequences, so expert support in analyzing and implementing appropriate measures is advisable.

From the Newsletter

Contact

Contact Person Picture

Frank Reutter

Partner

+49 221 949 909 316

Send inquiry

Contact Person Picture

Frederic Rehorst

Manager

+49 221 949 909 155

Send inquiry

Further information

IT -Audit & Advisory