By January 2025, banks and their technology suppliers will be required to meet strict new security standards set by the European Union under the Digital Operational Resilience Act (DORA).
CNBC shared that this upcoming regulation will strengthen the cyber resilience of financial services and mitigate risks stemming from IT disruptions. The EU's new law also emphasizes the importance of managing third-party risks, a concern that has been focused in recent global tech outages caused by software issues from firms like CrowdStrike.
EU's New DORA Law
DORA mandates that financial institutions, including banks, insurance companies, and investment firms, implement strong IT security measures to prevent severe disruptions. These disruptions could involve ransomware attacks or distributed denial-of-service (DDoS) attacks that impact operational continuity.
The law also seeks to address vulnerabilities exposed by outages, such as the widespread IT failure last month that affected major financial entities including JPMorgan Chase and Visa.
A key aspect of DORA is its focus on third-party technology providers, which must now be part of the compliance framework. This part of the regulation will require rigorous risk management and operational resilience testing not only from banks but also from their tech suppliers.
This includes assessing and managing "concentration risks" associated with outsourcing critical functions.
While DORA was officially enacted on January 16, 2023, its enforcement will not begin until January 17, 2025. This timeline gives financial firms and their tech partners time to align their operations with the new requirements.
Failure to comply with DORA can result in costly fines, with penalties reaching up to 2% of a firm's annual global revenue with iIndividual managers possingly facing fines of up to €1 million ($1.08 million).
Join the Conversation