Christopher Gill (pictured), Governance, Risk Management, Compliance, and Audit Specialist at ISMS.online, emphasizes the urgency of taking action now to meet DORA’s compliance requirements.
To safeguard the European financial system from the growing threat of cybercrime, the European Union has introduced the Digital Operational Resilience Act (DORA) regulations, marking a significant stride forward in cybersecurity. As the deadline for compliance draws near, the time for action is now.
For any financial institution operating within the EU, January 17, 2025, is a date that should be circled on the calendar. By this date, all financial entities within the European Union must fully adhere to the new DORA legislation, formally known as Regulation (EU) 2022/2554, designed to fortify the financial system’s resilience against cyberattacks and data-related risks. The responsibility for implementing these protections falls squarely on the shoulders of the financial companies themselves.
After January 2025, organizations must demonstrate resilience against information and communication technology (ICT)-related threats. DORA establishes comprehensive guidelines for risk management, incident reporting, operational resilience testing, and monitoring third-party risks. This legislation represents the EU’s latest initiative to shield the financial system from cyber threats, with the goal of fostering overall system stability by ensuring individual institutions are well-prepared.
The landscape of risk management is undergoing a transformation. While financial institutions currently manage operational risk through capital allocation, DORA will mandate a broader scope of operational resilience management. This necessitates the development of new tools, technologies, and processes to adhere to DORA’s guidelines for safeguarding, detecting, and containing ICT-related threats. This proactive approach is expected to reduce the likelihood of large-scale cyberattacks, including security breaches like the one experienced by Capita in March 2023, which compromised their pension fund and affected multiple private sector pension funds. With DORA’s stringent regulations, such incidents could be prevented.
There are compelling reasons for companies to embrace the regulations outlined in DORA proactively. Firstly, cybersecurity has never been more crucial for any organization’s survival, success, and ongoing prosperity, particularly financial entities. Many leaders have already invested significantly in ICT security, positioning themselves ahead of competitors. Strong cybersecurity and data privacy offer protection and inspire confidence in staff, customers, and stakeholders, fostering a sense of digital trust.
Furthermore, failure to invest in cybersecurity and comply with DORA will expose businesses to increased ICT-related threats, potentially resulting in significant financial losses and damaging their reputation. As the scope of cybercriminal activity widens, DORA emphasizes that all enterprises must fortify themselves against these threats to protect the entire system.
It is essential to prepare for DORA compliance now, as the benefits are substantial. However, the transition may be challenging for some companies, and the compliance deadline is rapidly approaching. ISMS.online’s recent report, “The State of Information Security”, underscores the urgency for companies to take proactive steps to prepare for the January 2025 deadline.
While the survey of 500 information security professionals revealed that only 27% of companies are struggling with compliance, it also indicated that the average company takes more than 15 months to align its operations with new regulations. This suggests that organizations that wait to act now may face a compliance lag. With less than 18 months remaining until the DORA deadline, swift action is imperative.
To ensure a smooth transition to DORA compliance, businesses must increase their investments in information security. This includes investing in the right technology, processes, and, most importantly, people. People play a pivotal role because effective decision-making in cybersecurity relies on well-trained and informed personnel. Senior leaders within organizations must demonstrate sound leadership to cultivate a robust security culture, while investments in training and infrastructure should be made promptly to ensure compliance with DORA. This proactive approach will equip businesses to respond effectively to inbound cyber threats and maintain regulatory compliance from the outset.
In summary, the EU’s DORA regulation marks a critical step in fortifying the European financial system against cyber threats. The compliance deadline of January 17, 2025, is rapidly approaching, necessitating proactive efforts from financial institutions to ensure they meet the stringent requirements. Investing in technology, processes and, most importantly, well-trained personnel is vital to achieving compliance and enhancing overall cybersecurity resilience.