The new regulations will take effect in the UK on January 17, 2025, so companies must be prepared to comply.
The Digital Operational Resilience Act (DORA), which has been in discussion since its introduction in January 2023, has raised questions about its scope and impact on the financial sector. DORA aims to ensure the sector is more resilient and prepared for cyberattacks or other IT disruptions.
Given the increasing frequency and complexity of cyberattacks, particularly as the financial sector handles highly valuable data, it’s evident why the European Union has introduced DORA.
In recent years, numerous cyberattacks and IT incidents have disrupted financial organizations, leading to downtime and significant data loss. DORA seeks to standardize security and resilience practices across the sector.
Although firms have had two years to prepare, the scale of the changes means many still have work to do. DORA is expected to be rigorously enforced, with serious repercussions for directors who fail to ensure their organizations’ cybersecurity and data resilience.
With only months remaining before DORA is enforced, how can financial sector companies ensure they are compliant?
1) Securing Staff and Stakeholder Buy-in
A critical step in policy changes is ensuring all employees are informed, engaged, and given opportunities to provide feedback on how changes affect their departments.
When employees are actively involved, it becomes easier to make compliance part of everyday business. Each department’s staff are more familiar with specific risks and can better identify vulnerabilities compared to external teams. Additionally, engaging staff encourages them to report any challenges their departments face, making it essential to involve everyone, regardless of seniority. Since cybercriminals often exploit the weakest link, typically employees, educating staff about the risks and how to mitigate them is key to improving adherence and keeping attackers at bay.
2) Treating Compliance as a Continuous Process
Compliance is often seen as a one-time achievement, but it should be treated as an ongoing responsibility.
DORA will likely require continuous oversight, meaning that companies must respond to new threats as they emerge. The financial sector faces ever-evolving risks, so firms must regularly update their procedures to maintain compliance. Integrating these updates into day-to-day operations, as mentioned earlier, helps companies stay proactive in adhering to regulations. Routine assessments and testing of processes and technologies will be essential for staying compliant with DORA.
3) Securing Third-Party Partnerships
As the threat from cybercriminals grows, financial organizations have invested heavily in front-line defenses to safeguard sensitive data. However, attackers are now targeting vulnerabilities in third-party suppliers that connect to financial firms.
This means that companies must ensure that their suppliers’ security is as strong as their own. DORA will examine supply chain resilience and weaknesses as part of its compliance requirements. Understanding and securing your entire supply chain is crucial for adhering to DORA.
4) Keeping Thorough Documentation
Since DORA is expected to be closely monitored, documenting all actions taken during the compliance process is essential. Unlike other regulations, where checks are often one-time, DORA compliance will likely involve regular reviews.
Maintaining a continuous record of risk assessments, incident reports, and actions taken to improve resilience will be necessary. This will demonstrate regulatory compliance and provide a clear history of the organization’s cybersecurity and IT resilience efforts.
5) Consulting Experts
Navigating DORA compliance and cybersecurity may seem overwhelming, especially in a highly regulated industry like finance. With internal IT teams already managing daily tasks, many financial firms are turning to consultants for assistance.
Bringing in external experts can alleviate the burden on internal teams, ensuring senior leaders that compliance is being handled. It also ensures that in the event of a cyberattack or IT incident, swift action can be taken to protect data and maintain adherence to the regulations.