DORA: What the EU’s new security standards for banks and companies will entail

Financial services companies and the companies that supply their digital technology are under increasingly pressure to achieve compliance with DORA, strict new EU rules requiring them to increase their cyber resilience.

By the start of next year, financial services firms and their technology suppliers will have to make sure that they’re in compliance with a new incoming EU law known as DORA, or the Digital Operational Resilience Act.

DORA entered into force on 16 January 2023 and will apply as of 17 January 2025.

US business news channel CNBC recently ran a detailed report on DORA — including what it is, why it matters, and what banks are doing to make sure they’re prepared for it.

What is DORA?

As reported by CNBC, DORA requires banks, insurance companies and investment to strengthen their IT security. The EU regulation also seeks to ensure the financial services industry is resilient in the event of a severe disruption to operations, the article pointed out.

It noted that such disruptions could include a ransomware attack that causes a financial company’s computers to shut down, or a DDOS (distributed denial of service) attack that forces a firm’s website to go offline.

The regulation also seeks to help firms avoid major outage events, such as the historic IT meltdown last month caused by cyber firm CrowdStrike when a simple software update issued by the company forced Microsoft’s Windows operating system to crash.

Multiple banks, payment firms and investment companies — from JPMorgan Chase and Santander, to Visa and Charles Schwab — were unable to provide service due to the outage. It took these firms several hours to restore service to consumers, the CNBC article said.

It went on to say that, in the future, such an event would fall under the type of service disruption that would face scrutiny under the EU’s incoming rules.

Speaking to CNBC, Mike Sleightholme, president of fintech firm Broadridge International, noted that a standout factor of DORA is that it doesn’t just focus on what banks do to ensure resiliency — it also takes a close look at firms’ tech suppliers.

Under DORA, banks will be required to undertake rigorous IT risk management, incident management, classification and reporting, digital operational resilience testing, information and intelligence sharing in relation to cyber threats and vulnerabilities, and measures to manage third-party risks.

Firms will be required to conduct assessments of “concentration risk” related to the outsourcing of critical or important operational functions to external companies.

These IT providers often deliver “critical digital services to customers,” Joe Vaccaro, general manager of Cisco-owned internet quality monitoring firm ThousandEyes also told CNBC.

“These third-party providers must now be part of the testing and reporting process, meaning financial services companies need to adopt solutions that help them uncover and map these sometimes hidden dependencies with providers,” he told the US channel.

Banks will also have to “expand their ability to assure the delivery and performance of digital experiences across not just the infrastructure they own, but also the one they don’t,” Vaccaro added.

When does the law begin to apply?

DORA entered into force on 16 January 2023 and will apply as of 17 January 2025.

The EU has prioritised these reforms because of how the financial sector is increasingly dependent on technology and tech companies to deliver vital services. This has made banks and other financial services providers more vulnerable to cyberattacks and other incidents, CNBC reported.

“There’s a lot of focus on third-party risk management” now, Sleightholme told the channel. “Banks use third-party service providers for important parts of their technology infrastructure.”

“Enhanced recovery time objectives is an important part of it. It really is about security around technology, with a particular focus on cybersecurity recoveries from cyber events,” he added.

CNBC also reported that many EU digital policy reforms from the last few years tend to focus on the obligations of companies themselves to make sure their systems and frameworks are robust enough to protect against damaging events like the loss of data to hackers or unauthorised individuals and entities.

It gave the example of the EU’s General Data Protection Regulation, or GDPR, that requires companies to ensure the way they process personally identifiable information is done with consent, and that it’s handled with sufficient protections to minimise the potential of such data being exposed in a breach or leak.

DORA will focus more on banks’ digital supply chain — which represents a new, potentially less comfortable legal dynamic for financial firms, CNBC explained.

What happens if a firm fails to comply?

For financial firms that fall foul of the new rules, EU authorities will have the power to levy fines of up to 2% of their annual global revenues.

Individual managers can also be held responsible for breaches. Sanctions on individuals within financial entities could come in as high as €1 million ($1.1 million).

For IT providers, regulators can levy fines of as high as 1% of average daily global revenues in the previous business year. Firms can also be fined every day for up to six months until they achieve compliance, CNBC noted.

Third-party IT firms deemed “critical” by EU regulators, meanwhile, could face fines of up to €5 million— or, in the case of an individual manager, a maximum of €500,000.

That’s slightly less severe than a law such as GDPR, under which firms can be fined up to €10 million ($10.9 million), or 4% of their annual global revenues — whichever is the higher amount.

In his comments to CNBC, Carl Leonard, EMEA cybersecurity strategist at security software firm Proofpoint, stressed that criminal sanctions may vary from member state to member state depending on how each EU country applies the rules in their respective markets.

DORA also calls for a “principle of proportionality” when it comes to penalties in response to breaches of the legislation, Leonard added.

That means any response to legal failings would have to balance the time, effort and money firms spend on enhancing their internal processes and security technologies against how critical the service they’re offering is and what data they’re trying to protect, the channel elaborated.

Are banks and their suppliers ready for DORA?

Stephen McDermid, EMEA chief security officer for cybersecurity firm Okta, told CNBC that many financial services firms have prioritised using existing internal operational resilience and third-party risk programs to get into compliance with DORA and “identify any gaps they may have.”

“This is the intention of DORA, to create alignment of many existing governance programs under a single supervisory authority and harmonise them across the EU,” he added.

In his comments to the US channel, Fredrik Forslund vice president and general manager of international at data sanitisation firm Blancco, warned that though banks and tech vendors have been making progress toward compliance with DORA, there’s still “work to be done.”

On a scale from one to 10 — with a value of one representing noncompliance and 10 representing full compliance — Forslund said, “We’re at 6 and we’re scrambling to get to 7.”

“We know that we have to be at a 10 by January,” he said, adding that “not everyone will be there by January.”

(Sources: CNBC, InBusinessNews)