Sign in Subscribe

Navigating DORA: A Briefing for Compliance Officers

Mari-Liis Soe

3 min read
Navigating DORA: A Briefing for Compliance Officers
(https://www.europeanfiles.eu/digital/the-role-of-standardization-in-supporting-europes-digital-transition)

Right, let's get straight to it. 98% of companies are currently not DORA compliant, and we might see the first fines already in 9 months. At Complok, we want to support companies who want to comply and help shift the ratio in the right direction.

As a compliance officer in a financial institution, you're likely already swamped. But the Digital Operational Resilience Act (DORA) is here, and it's been in force starting January 17, 2025. let’s make sure you're on track.

Why Should You Care About DORA?

DORA is the EU's answer to the growing cyber threat landscape, aiming to ensure financial stability and maintain consumer trust in our increasingly digital world. The regulation is about creating a resilient and secure environment. By taking the necessary steps, financial institutions can protect themselves from penalties, boost their security, and ensure customer trust. Consider DORA as a strategic advantage.

DORA addresses the increasing complexity and interdependence of digital systems that underpin financial services. The Act is designed to ensure uniform standards among member states, guaranteeing high levels of protection and continuity of operations.

Are You Affected?

Likely, yes.

DORA's scope is broad:

  • Banks and credit unions.
  • Insurance providers.
  • Investment firms.
  • Fintech companies.
  • Payment institutions.
  • Crypto-asset service providers.
  • ...and importantly, third-party IT service providers to financial institutions.

In a nutshell, if your financial institution relies on digital operations (and who doesn't these days?), DORA is relevant.

The Five Pillars of DORA

DORA is structured around five key areas:

  1. ICT Risk Management: A comprehensive framework is needed. Think ongoing monitoring, threat identification, and robust security measures.
  2. ICT Incident Reporting: Prompt reporting of significant incidents is key to improving understanding of IT risks and coordinating responses.
  3. Digital Operational Resilience Testing: Regular testing, including Threat-Led Penetration Testing (TLPT), is now a must to simulate attacks.
  4. ICT Third-Party Risk Management: You'll need to monitor those third-party IT providers closely. Due diligence is mandatory.
  5. Information and Intelligence Sharing: Sharing information about cyber threats with other financial entities improves overall industry robustness.

The DORA Compliance Timeline

DORA became effective as of January 17, 2025. And technically we had until then for full compliance. European supervisory authorities are developing guidelines (Regulatory Technical Standards or RTS) to help and are starting oversight activities now. Fines are expected to be imposed in the next 9-24 months.

The Price of Non-Compliance

The penalties are serious:

  • Fines up to 1% of the average daily worldwide turnover from the previous year.
  • Revoked operating permissions.
  • Public reprimands.
  • Reputational damage and loss of customer trust.
  • Increased exposure to cyber risks.

DORA Compliance: A Checklist to Get You Started

Here’s a checklist to help you ensure compliance:

  1. Gap Analysis: Assess your current systems against DORA. Here’s the [link] to our free Gap Analysis where you can assess your DORA compliance and see what you need to do next.
  2. Roadmap: Create a detailed plan to address gaps.
  3. IT Risk Management: Establish strong policies and procedures.
  4. Incident Reporting: Develop immediate reporting protocols.
  5. Resilience Testing: Implement TLPT.
  6. Third-Party Risk Assessments: Implement stringent oversight.

Don't Forget Crisis Management

Effective crisis management is vital for digital resilience. Your plan should include procedures for PR, IT investigations, client/supplier notifications, and regulatory notifications.

Final Thoughts

At Complok, we’ve partnered up with ICT compliance experts from Sweden Komply.1 to put together a DORA framework. Together we’ve created a quick Gap Analysis to get you started on DORA.

Find out if you're already DORA compliant and what you need to do next at https://www.complok.eu/dora-gap-analysis.