As the January 2025 deadline for the EU Digital Operational Resilience Act (DORA) approaches, financial institutions and ICT providers across the European Economic Area (EEA) must urgently assess their readiness, address regulatory gaps, and implement the necessary tools and processes to ensure compliance and safeguard digital resilience.
On January 17, 2025, the EU Digital Operational Resilience Act will take effect across all European Economic Area countries. It will impact financial institutions and their ICT service providers even beyond these borders in certain circumstances.
With only three months remaining, more than 20,000 financial entities must comply with DORA’s regulatory requirements. However, in IDC’s European Security Technologies and Strategies Survey 2024 (May 2024), 49% of respondents stated, “We are aware of DORA but have not yet undertaken exploratory work,” and 14% admitted, “We are not aware of DORA.”
Since then, progress has hopefully been made, driven by active market debates and numerous educational initiatives aimed at increasing awareness. Still, with just a few weeks before the deadline, financial entities and ICT providers must assess their current standing and identify the efforts required to bridge the gaps. Now is the time to prioritize, plan, and comply:
- PRIORITIZE the gaps that need addressing
- PLAN for tools and process improvements (extending beyond January 2025)
- COMPLY with the deadline
Let’s take a step back to recap the scope and objectives of this EU regulation.
Scope: Harmonization and Augmentation
DORA introduces two key innovations:
- Harmonization: DORA harmonizes regulatory requirements across different financial industries, covering banking, insurance, capital markets players, and adjacent players such as credit rating agencies. This harmonization eliminates fragmentation across jurisdictions by implementing a regulation (not a directive), ensuring common requirements across all member countries.
- Augmentation: DORA marks a paradigm shift, bringing ICT third-party providers under the direct scrutiny of the European Financial Supervisory Authorities. As previously discussed in our blog, EU regulators have acknowledged the growing dependency of financial organizations on ICT and cloud service providers. Given that digitalization and operational resilience are two sides of the same coin, implementing a robust digital operational resilience framework significantly enhances security for banking operations. By placing critical third-party ICT service providers under direct supervision, regulators have reshaped the dynamics between financial entities and their ICT partners.
For financial entities, DORA provides the framework for tighter collaboration with ICT partners to ensure end-to-end operational robustness. For ICT partners, DORA is not just a new regulatory burden, but an opportunity to deepen relationships with clients and explore new business avenues, as financial entities are required to conduct market research and define alternate solutions for each critical function.
Objectives: Mitigating Systemic Risk
The primary objective of DORA is to address the systemic risk posed by critical ICT service providers in the financial industry. By involving European supervisory authorities (e.g., EBA, ESMA, EIOPA) directly, regulators aim to mitigate this risk and enhance the overall digital resilience of the financial sector.
DORA’s requirements fall under five pillars:
- Risk management
- ICT third-party risk management
- Digital operational resilience testing
- Mandatory incident reporting
- Voluntary information and intelligence sharing
Additionally, financial entities must define clear exit strategies to mitigate systemic risk in the event of operational issues with an existing ICT partner. Each entity must identify and choose alternative solutions and service providers to ensure the smooth transfer of critical services, if necessary.
For ICT vendors, DORA is a double-edged sword: While it opens up new opportunities and makes the market more fluid, it also imposes additional compliance obligations.
It is important to note that many DORA requirements are not new to large institutions, particularly significant banks subject to the ECB’s Single Supervisory Mechanism. The principle of proportionality still applies under DORA. Nonetheless, its impact is extensive, as evidenced by the IDC survey, wherein 38% of respondents cited digital operational resilience testing as their biggest challenge, while 33% identified ICT third-party risk management as a major hurdle.
Final Steps: Self-Assessment and Planning
With the deadline approaching, each institution must conduct a self-assessment to identify gaps. Where significant gaps remain, organizations must prioritize efforts to meet compliance requirements. Meanwhile, financial entities should plan for the adoption of new tools and processes, such as integrated procurement solutions, to enhance third-party governance and address DORA holistically as part of their ongoing journey toward digital operational resilience.
Are you ready for DORA? Discover the 10 critical steps financial entities must take before the regulation comes into effect in January 2025: IDC PlanScape: Last-Call DORA Compliance Checklist to Achieve Digital Operational Resilience