DORA’s compliance deadline is here: How prepared is your organization?
The EU’s Digital Operational Resilience Act (DORA) comes into force today (January 17). This regulation aims to address threats to financial entities’ ICT infrastructures and enhance their resilience to disruption. The European Supervisory Authorities (ESA) released an update in December 2024[1] stating that the deadline was final, with no transitional period, and that financial entities must be fully compliant from today.
This act is welcomed by many practitioners who are pleased to see regulators address a significant risk to financial institutions within the European Union.
Wayne Scott, Regulatory Compliance Solutions Lead at Escode believes that over the past three years there has been a critical gap in the financial industry’s approach to managing newly named risks, such as supplier failure, service deterioration, and concentration risk. He said:
“While cyber security remains a priority, there is a need for financial institutions to elevate ownership of these risks to a senior level. Many financial institutions (FIs) still do not fully grasp the shared responsibility model, mistakenly believing that the resilience of SaaS services lies solely with the supplier. This misconception, coupled with unclear ownership, has resulted in significant portions of the European financial services sector being left without robust, demonstrably successful stressed exit plans for their material services.”
However, since the inception of DORA some practitioners have voiced fears over meeting its stringent requirements. BCI research[2] highlighted concerns surrounding the perceived complexity and ambiguity of the text. Some felt that the definitions provided were not clear enough and that concerns weren’t being addressed, as feedback from regulators was insufficient. Reporting requirement concerns were also raised as some practitioners felt they were diverting resources away from resolving incidents, and that the overlap of different regulations, with different templates and variables, were creating more work at a time where the response should have been at centre stage.
Shana Micallef, Security Governance Manager, APS Bank plc, Malta said that although they have successfully conducted gap analysis across all the pillars of DORA, challenges still persist, especially in the implementation of Vulnerability Assessments (VA) where the frequent weekly scans, and subsequent remediation efforts, were not always straightforward due to the complexity of systems and the evolving nature of vulnerabilities. She said:
“As a result, remediation activities often need to be prioritised and staggered based on criticality, ensuring a structured and risk-based approach to maintaining compliance and operational resilience”.
Shana also highlighted the challenges of conducting Threat-Led Penetration Testing (TLPT) saying:
“These include significant budgetary investments to support comprehensive testing efforts, including additional funding to cover incident response for TLPT purposes, and the substantial operational effort necessary to execute them effectively. Additionally, the need for strict confidentiality during testing can create silos between departments, potentially complicating coordination.”
Third party risk management has also proved a particular sticking point, especially for smaller organizations. These entities have struggled to meet the demands of the new framework due to limited resources and the complexity of compliance, compared to larger institutions with greater capacity. Some respondents reported that third-party suppliers were not always aware of the new regulation, or that it added cost pressures to comply with what the new standards demanded from them. In some cases, this led to smaller organizations choosing not to work with financial services because it wasn’t financially viable for them. At the other end of the scale, practitioners reported larger suppliers could be slow or reluctant to provide information proving compliance[3].
Michelle Cardona, Senior Operational Resilience Manager, APS Bank plc, Malta said:
“We have been focussed on DORA preparedness for more than 12 months now, and we still find ourselves trying to navigate through the complexities of compliance to this regulation. The third-party provider front is currently presenting the biggest challenge where conversations with the suppliers concerned are not always straightforward.”
Although a second set of updates were published in July 2024[4] to address concerns, only 44.4% of respondents to the BCI Operational Resilience Report 2024 were confident or very confident that they would be able to meet the requirements of the January 2025 deadline. It remains to be seen if organizations have succeeded in reaching DORA’s compliance targets in time.
Although today is the fixed deadline for DORA compliance, some experts feel that its remit will expand in the future, meaning EU financial entities will need to further enhance their operational resilience against ever evolving ICT-related disruptions. Wayne Scott continued:
“The focus on DORA compliance has yet to extend to the resilience of fourth/nth party providers, leaving a critical vulnerability unaddressed.”
Those entities left unprepared risk large fines and penalty payments for continued non-compliance. However, they should demonstrate ‘good faith efforts’ and maintain contact with regulators to demonstrate ongoing efforts to reach compliance and potentially mitigate penalties. The ESA’s joint statement indicated that supervision of DORA requirements will be undertaken in a ‘risk-based manner’,[5] so unprepared organizations would do well to prioritise their highest risk areas and critical functions first.
More on
About the author
Rebecca Mathews
The BCI
