The new DORA regulation is part of a European initiative aimed at enhancing the cybersecurity and operational resilience of companies engaged in financial activities. The European Union wants this initiative to be viewed more as an opportunity than a constraint.
Resilience is a popular term these days. Amid challenges that some might face, it is advisable to be resilient, meaning capable of absorbing disruptions and quickly recovering.
What about companies? Isn’t it equally important for them to demonstrate resilience in the case of temporary IT malfunctions or even cyberattacks?
It is agreed that this resilience capability becomes even more crucial when the IT at stake belongs to a bank or a cryptocurrency provider. The inability to access one’s assets in euros as well as in bitcoin or ethereum can be a significant source of concern.
In response to these challenges, the European Union has implemented DORA (Digital Operational Resilience), a regulation specifically aimed at ensuring the continuity and security of financial activities.
The Birth of DORA
At the end of September 2020, the European Commission published the Digital Operational Resilience project, a series of measures aimed at enhancing the digital efficiency of the financial sector.
The goal was to unify European standards and requirements to create a harmonized and comprehensive framework concerning the digital operational resilience of financial entities. DORA aims to promote the quick detection of major IT incidents, a rapid recovery ability, and also an analysis of causes of disruption, alongside a mandatory reporting obligation.
Cyberattacks with Major Consequences
This regulatory framework was made necessary by the increasing risks posed by the digital transformation of financial services and the growing interconnection of networks. It turned out that numerous cyberattacks have had enormous consequences for renowned institutions.
- In 2014, JP Morgan Chase, one of the largest banks in the USA, suffered a breach resulting in the compromise of over 80 million identities.
- Two years later, the hacking of the interbank messaging system SWIFT allowed the diversion of 81 million dollars from the central bank of Bangladesh.
- During the same year, 2016, Tesco Bank, a UK institution, was the victim of a cyberattack that affected 9,000 customer accounts and enabled hackers to steal about 2.5 million pounds sterling.
- In 2017, 140 million articles from Equifax, one of the main American credit agencies, were hacked, providing access to social security numbers, birth dates, and other personal data.
- In 2019, a security breach of the American bank Capital One’s system allowed access to the personal data of about 100 million customers and credit card applicants.
Most of these companies endured the fallout from such cyberattacks on their reputation, with public trust often negatively impacted due to the lack of a quick response.
It is agreed that such incidents could only advocate for the establishment of rules to ensure the safety and continuity of financial operations.
The DORA regulation was adopted by the European Parliament on November 10, 2022, then by the EU Council, and subsequently published in the Official Journal.
Since January 17, 2025, DORA has been in effect in all EU member states.
Who is Affected by DORA?
DORA applies specifically to the following activities:
- credit institutions;
- payment institutions;
- investment firms;
- providers of crypto-asset related services;
- insurance companies;
- third-party companies providing IT services for critical or important functions.
It should be noted that the regulation introduces a principle of proportionality: some financial entities benefit from a simplified regime and may even be exempt from DORA. Various factors, including size, functions, or a company’s business profile, can expose it to varying scales of digital disruptions.
What Consequences for Financial Entities?
Most financial entities will need to implement changes to comply with the DORA regulation. First, they must conduct an assessment of their current situation in relation to DORA’s expectations. They need to identify potential risks and also estimate acceptable disruption levels, especially from the users’ perspective. After this assessment, an appropriate implementation of maturity is required.
The company must establish intrusion testing, backup and restoration policies. Once an incident occurs, it must be able to restore its systems and limit the overall impact. Subsequently, it needs to conduct a thorough review, determine causes, and implement appropriate remedies. Additionally, it must notify the competent authority of these incidents while following standardized reporting models.
An Opportunity Rather Than an Obligation
DORA will typically involve an increase in investments and IT resources. However, the European Union wants to convey that this new regulation is not just an obligation. DORA is part of companies’ evolution towards digitization and aims to assist in the transition of European financial markets to the digital age, to promote a robust market that users can trust.
DORA starts from the premise that IT incidents, even if they seem unlikely at first glance, can occur and that it is necessary to be prepared to ensure the continuity of critical activities and services. The financial company that adjusts its operations will benefit from optimized IT risk management.
Therefore, this regulation should be seen as an opportunity to differentiate oneself in the market. Even small-sized companies can benefit from establishing robust policies and testing procedures. In France, the AMF has called on financial sector players to actively prepare for such a transformation.
