EU’s New Cybersecurity Law DORA: A Big Headache for Banks and Tech Suppliers
Financial services companies and their digital technology suppliers are on high alert as they race to comply with the European Union’s Digital Operational Resilience Act (DORA), a stringent new law aimed at bolstering cyber resilience across the financial sector. Coming into effect in January 2025, DORA is a game-changer, pushing for sweeping changes in how financial institutions manage their digital infrastructure and handle cybersecurity threats.
Key Takeaways:
- DORA is far more than a cybersecurity mandate; it’s a comprehensive overhaul of how financial institutions manage their digital infrastructure and handle cybersecurity threats. It goes beyond internal processes to include a critical examination of the tech suppliers that underpin their operations.
- With hefty fines of up to 2% of annual global revenue for non-compliance, DORA sends a clear message to financial institutions and their tech partners: Get your cybersecurity house in order.
- The law’s focus on “concentration risk,” which examines the reliance on external companies for critical functions, is forcing financial institutions to re-evaluate their digital supply chains. It’s a new frontier for legal scrutiny, prompting a deeper understanding of the vulnerabilities inherent in interconnected digital systems.
What is DORA?
DORA seeks to enhance the operational resilience of the financial services sector by requiring banks, insurance companies, and investment firms to strengthen their IT security. The goal is to ensure the sector can withstand severe disruptions, such as ransomware attacks that cripple systems and Distributed Denial-of-Service (DDoS) attacks that take websites offline.
The regulation’s influence extends beyond traditional cybersecurity measures. DORA’s focus on operational resilience extends to third-party risk management – a requirement that forces financial institutions to scrutinize the cybersecurity practices of their tech suppliers. This is critical because many financial services companies rely heavily on technology vendors for crucial functions, making them vulnerable to potential disruptions stemming from suppliers’ vulnerabilities.
DORA’s Core Components:
- Rigorous IT risk management: Financial firms must establish robust frameworks for identifying, assessing, and mitigating IT risks.
- Incident management: They must develop effective procedures for detecting, responding to, and recovering from cyber incidents.
- Classification and reporting: Companies must classify and report cyber incidents, providing transparency and accountability.
- Digital operational resilience testing: Regular, comprehensive tests will assess a firm’s capacity to withstand cyberattacks and recover quickly.
- Information and intelligence sharing: Collaborating with other institutions and regulatory bodies will facilitate threat identification and rapid response.
- Third-party risk management: This includes assessing and controlling the "concentration risk" of relying heavily on external providers for critical functions.
Why Does DORA Matter?
The financial sector’s increasing reliance on technology and interconnected systems has heightened its vulnerability to cyberattacks and other disruptions. The recent global IT meltdown, triggered by a software update issued by cybersecurity firm CrowdStrike, highlighted the interconnected nature of modern technology and its potential to bring critical systems to a standstill.
Multiple banks, including JPMorgan Chase, Santander, Visa, and Charles Schwab, faced significant service disruptions during this event. The incident served as a stark reminder that even seemingly minor issues within a digital supply chain can ripple throughout the financial ecosystem. DORA aims to address this growing vulnerability by imposing a framework for proactive cybersecurity preparedness and risk mitigation.
When Does DORA Apply?
DORA entered into force in January 2023, but the enforcement period begins on January 17, 2025. This timeline offers financial institutions and tech suppliers ample time to prepare and ensure compliance.
DORA and the Digital Supply Chain
The EU’s approach to cybersecurity has evolved. While previous regulations like GDPR primarily focused on how firms handle personally identifiable information, DORA takes a broader view. It shifts the focus to the digital supply chain, which includes the network of technology providers supporting financial services companies.
This change signifies a deeper recognition that cybersecurity is not a solitary internal affair for financial institutions; it is an interconnected responsibility shared with their technology partners.
What If a Firm Fails to Comply?
The penalties for failing to comply with DORA are significant, demonstrating the EU’s commitment to enforcing these new rules.
- Financial firms face fines up to 2% of their annual global revenues.
- Individual managers can also be held accountable with potential sanctions reaching 1 million euros ($1.1 million).
- Third-party IT providers can incur fines of up to 1% of their average daily global revenues.
- For "critical" third-party IT firms, the fines can climb to 5 million euros, with individual managers facing a maximum penalty of 500,000 euros.
While DORA’s fines are substantial, they pale in comparison to the potential consequences of a major cyberattack on a financial institution. A significant data breach or operational disruption could result in substantial financial losses, reputational damage, and regulatory investigations. DORA aims to incentivize proactive cybersecurity measures, recognizing that proactive prevention is far more cost-effective than reacting to a breach.
Are Banks and Their Suppliers Ready?
The industry is working diligently to achieve compliance, but there’s still a lot of work to be done.
- Financial institutions have started to leverage existing operational resilience and third-party risk programs to identify and address potential compliance gaps.
- Tech suppliers are also adapting, recognizing the increased scrutiny and the potential financial ramifications of non-compliance.
While the industry is striving to meet DORA’s requirements, the complexities of the law and the need for comprehensive changes mean that achieving full compliance by the January 2025 deadline could be a challenge.
The Path to Compliance
The journey to compliance with DORA isn’t a one-size-fits-all approach. Different financial institutions and tech suppliers will need to tailor their strategies based on their specific circumstances and the unique characteristics of their operations.
Key steps towards compliance include:
- Investing in comprehensive risk assessment frameworks.
- Strengthening incident response capabilities.
- Enhancing third-party risk management programs.
- Conducting regular digital operational resilience testing.
- Improving communication and collaboration across the digital supply chain.
DORA represents a pivotal shift in the landscape of cybersecurity for the financial sector. Financial institutions and their technology providers are navigating new territory, driven by the need to bolster their defenses against escalating cyber threats. The upcoming enforcement of DORA will push the industry further, ushering in a more resilient and secure future for the financial services sector.