Are European finance firms ready for the DORA deadline tomorrow?

Credit: Iryna Imago / Shutterstock

The Digital Operational Resilience Act (DORA) comes into effect tomorrow, ushering in a range of new requirements relating to European financial companies ICT and cybersecurity standards.

Introduced to the European Parliament in 2022, the Act was passed on 16 January 2023 with the implementation date set for 17 January 2025. As with most major financial regulations in the EU, this date was chosen with the aim of giving stakeholders ample time to prepare.

The Act will apply to over 20,000 financial organisations and IT providers throughout the EU, though its impact will of course be felt in non-EU markets with strong connections to the trade bloc such as the UK, Switzerland and certain Nordic countries.

In the context of the rapid acceleration of financial technology in recent years, the digitalisation of payments and general reliance on the internet, regulations to ensure companies’ have robust IT infrastructure and processes make a lot of sense.

Recent years have seen some high-profile instances of cybersecurity breaches at major firms. In June last year, for example, the group ShinyHunters were able to hack the payment details of millions of Santander and Ticketmaster customers.

“In many ways, DORA is a step by regulators to address the vulnerabilities exposed by the rapid innovation of fintech,” said Marios Joannou, Head of Digital Risk and Privacy at payabl., a London-based paytech firm.

“It signals the end of the “move fast and break things” era that accelerated growth but often left critical resilience gaps, exposing institutions and markets to significant operational risks.”

DORA do’s and DORA dont’s

So what exactly does DORA entail and how will it strengthen European finance’s cyber-reseilience? The regulation’s main objective is to establish broad requirements for the security of network and information systems supporting businesses.

These requirements relate to ICT risk management, reporting of major ICT-related incidents and voluntary notification of cyber threats and security payment-related incidents of the relevant authorities.

Other requirements cover digital operational resilience testing, information and intelligence sharing relating to cyber threats and vulnerabilities, management of ICT third party risks and requirements around ICT third-party providers and financial entities. Rules have also been created to govern the way authorities interact on ICT related issues.

“While it may look cyber security oriented, the reality is that DORA addresses a wide range of risks,” Joannou adds. “These include service availability, business insolvency, and hostile takeover as the framework seeks to balance the need for innovation with sustainable growth.”

As with any major regulatory update, DORA will be a test for payments companies. Firms across Europe and elsewhere have had a lot of regulatory changes to contend with lately, such as adapting to the ISO20022 standard – which some are still struggling with.

The issue with regulatory updates like this are the high compliance costs businesses face, and in DORA’s case the scrutiny of third-party providers may put pressure on payments’ firms external relationships.

For cross-border firms, such as those based in the global financial focal point of London but active in EU member states, there is also the difficulty of having to contend with two sets of compliance frameworks around cybersecurity on the same continent.

All steps forward come with growing pains, however, and DORA will be no exception. For the cybersecurity industry, it may also present an opportunity for companies to find new clients in the finance industry as payments and fintech firms look to bolster their ICT infrastructure to meet the new standards.

“Many financial institutions are woefully unprepared for DORA’s upcoming January deadline,” says Andy Norton, European Cyber Risk Officer at Armis, a computer security company, citing that 35% of UK ICT leaders in financial services have admitted to lacking ‘sufficient budget allocations’ for cybersecurity.

“To meet DORAs stringent requirements, firms must first prioritise cybersecurity basics, like shoring up multi-factor authentication (MFA), firewalls, network visibility and regular software updates,” he adds.

“Equally important is adopting automation and bringing all security tools and processes under a unified management system to create better visibility and faster, more streamlined operations.

“Once these fundamentals are sorted, advanced solutions like AI-powered threat intelligence enable firms to transition from reactive cybersecurity measures to a proactive defence strategy, identifying and neutralising threats before they occur.”