There are two types of companies, as the saying goes: those that have been hacked and those that don’t know they’ve been hacked.
This is especially true in financial services. According to the IMF’s Global Financial Stability Report, nearly one-fifth of reported cyber incidents in the past two decades have impacted financial firms, resulting in $12 billion in direct losses.
Cybercriminals are becoming smarter and more sophisticated, sharing resources and ideas. They’re using advanced AI and other tools to discover how their attacks are prevented and then reengineering their tactics accordingly with long-term strategies until they succeed.
With only a patchwork of rules regarding how financial institutions should protect themselves and a heavier reliance on technology than ever before, change was needed.
Enter DORA
It’s no surprise, then, that governments and legislators have spent the past three years developing a regulatory framework that sets new rules on cybersecurity, risk management, and resilience for the financial services industry.
The Digital Operational Resilience Act (DORA) is an EU regulation that came into force in January and is a game-changer in the financial services sector. DORA sets new standards to protect the financial system – and its customers and suppliers – from the rising tide of cyber threats and technological failures.
The Act applies to banks, insurers, investment firms, payment providers, and many other financial entities operating within the EU – including UK firms that serve EU customers or rely on EU-based service providers. There is no revenue threshold – all organisations from start-ups to global institutions are affected, although the Act does discuss “proportionality” in terms of implementation levels.
Crucially, DORA also impacts third-party tech vendors that provide cloud computing, cybersecurity, and IT services to financial firms.
Enforcement for all
The regulation is enforced by three European Supervisory Authorities (ESAs): The European Banking Authority (EBA), oversees banking institutions, The European Securities and Markets Authority (ESMA), focuses on financial markets and the European Insurance and Occupational Pensions Authority (EIOPA) governs insurance and pension firms. These organisations have the power to impose penalties and fines – up to 2% of annual global turnover – should firms not comply.
For UK financial businesses that have no links at all with the EU, the Financial Conduct Authority will enforce its operational resilience framework (PS21/3) from March 31st this year, which aligns with many of DORA’s objectives and components.
There is, therefore, no escaping these rules. To help financial services firms evaluate where they are on the journey towards compliance, we’ve compiled a checklist of key actions:
1. Determine your status
The first step is clearly defining your organisation’s regulatory and operational landscape. Are you operating solely within the UK, or do you have business dealings across the EU or beyond? Do you rely on significant or critical IT service providers, and where are they based? Understanding your status, dependencies, and regulatory obligations is crucial from the outset.
2. Conduct a gap analysis
Access the existing regulatory frameworks and determine which ones apply to your business. Whether it’s DORA, FCA rules, or other international legislation, align with the requirements relevant to your operations. Conduct a gap analysis to identify compliance shortcomings, assess risks, and outline a remediation plan, including the budget you might need to achieve this.
3. Implement a risk management framework
Identify, assess, and mitigate technology risks proactively by conducting comprehensive risk assessments covering IT systems, data security, and supply chain vulnerabilities. Risk management plans should include third-party service providers and cloud platforms critical to your business. ISO standards, especially ISO27001 can be useful in this process.
4. Enhance your incident reporting
DORA requires organisations to develop a structured process to report cyber incidents within hours of detection. This goes beyond traditional business continuity and disaster recovery plans. Regular testing of your incident response plan is essential. DORA suggests triennially, but smaller tabletop exercises annually could be more effective.
5. Strengthen third-party provider risk management
Many organisations maintain a supply risk register but don’t review it regularly. Ensure you understand the criticality of all your suppliers by conducting due diligence on cloud providers, software vendors, and cybersecurity partners. Monitor and review them proportionally and establish exit strategies in case a provider fails to meet resilience standards.
6. Boost pen testing
Conduct regular resilience testing. DORA mandates that firms must conduct Threat-Led Penetration Testing, including simulating real-world cyberattacks. Annual vulnerability assessments of critical IT infrastructure are also advisable to ensure best practices are upheld.
7. Collaborate with peers
A key aspect of DORA compliance is information sharing. Align with other financial institutions on reporting, incidents, and emerging trends. This isn’t about giving away your trade secrets, it’s about helping an entire sector stay vigilant.
8. Stay informed
Although DORA is an EU regulation, the UK is aligning its policies alongside it. Monitor FCA updates on the UK’s operational resilience framework and consider achieving ISO certifications to strengthen your compliance efforts.
Proactive not reactive
While DORA might seem bureaucratic and challenging, the financial services sector has largely welcomed the framework. This is understandable given that the average cost of a data breach in 2024 was $4.88 million per breach, according to the IBM Cost of a Data Breach Report.
Beyond financial costs, DORA helps protect against the reputational damage that a cyber incident can cause and boosts investor confidence. As with much government legislation, achieving compliance takes time, but waiting for a knock at the door is not an option. Ignorance is not a defence.
Operational resilience is no longer a luxury; it’s a critical priority. Proactive businesses will be better equipped to handle disruptions, protect customer data, fend off cyberattacks and navigate an increasingly sophisticated and volatile threat horizon.
Tracey Hannan-Jones is a Compliance and Security Consultant at UBDS Digital
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.