Skip to content

Editor’s Note: As the January 17, 2025, deadline for compliance with the European Union’s Digital Operational Resilience Act (DORA) rapidly approaches, financial institutions and their technology providers face unprecedented challenges in fortifying their digital defenses. This article delves into the critical components of DORA and its far-reaching implications for banks, insurance companies, and their tech partners. It underscores the importance of stringent IT security measures, comprehensive risk management, and the integration of advanced technologies like AI to ensure resilience against severe operational disruptions. With substantial penalties looming for non-compliance, financial firms must accelerate their efforts to meet DORA’s exacting standards and safeguard their operations against future threats.

Industry News – Data Privacy and Protection Beat

Exploring DORA: Financial Sector Prepares for Comprehensive Digital Resilience

ComplexDiscovery Staff

The financial services industry is under pressure to ensure compliance with the European Union’s Digital Operational Resilience Act (DORA) by January 17, 2025. This article examines the critical elements of DORA, its implications for banks, insurance companies, and their tech suppliers, and the ensuing measures firms are taking to adhere to these stringent requirements.

DORA mandates that financial services firms, including banks and insurance companies, bolster their IT security to remain resilient against severe operational disruptions, such as ransomware or DDoS attacks. This regulation also encompasses technology suppliers, who play a crucial role in delivering critical digital services. Mike Sleightholme, president at Broadridge International, highlighted that DORA scrutinizes both the financial institutions and their tech suppliers, ensuring comprehensive resilience.

The new law requires rigorous IT risk management, incident management, classification and reporting, digital operational resilience testing, and thorough measures to manage third-party risks. According to Joe Vaccaro, general manager of ThousandEyes, banks now need solutions that map dependencies on their IT providers, potentially exposing overlooked vulnerabilities. Vaccaro emphasized that financial institutions will have to expand their oversight beyond the infrastructure they directly control.

DORA’s compliance timeline underscores the urgency for these firms. Having come into force on January 16, 2023, the regulation’s enforcement will commence in January 2025. Stephen McDermid, EMEA chief security officer for Okta, noted the focus on leveraging existing internal resilience and third-party risk programs to meet DORA’s standards and identify any compliance gaps. Fredrik Forslund from Blancco indicated that banks and vendors are progressing but acknowledged substantial work remains. He rated current compliance efforts at 6 out of 10, stressing the need to reach full compliance by January.

Failure to comply with DORA will attract significant penalties. Firms face fines up to 2% of their annual global revenues, with individual managers potentially facing sanctions up to €1 million. Additionally, IT providers could be fined up to 1% of their average daily global revenues, with critical third-party IT firms facing penalties as high as €5 million.

The financial sector’s growing reliance on technology is a driving factor behind DORA. As technology becomes integral to service delivery, the industry’s vulnerability to cyberattacks and other disruptions increases. The General Data Protection Regulation (GDPR) significantly influenced DORA, focusing on ensuring that entities handle personal data securely. DORA extends this by addressing the digital supply chain, marking a shift in regulatory emphasis towards the broader ecosystem.

An illustration of the potential consequences of non-compliance is the recent IT meltdown triggered by CrowdStrike. The incident caused widespread service outages, impacting major financial entities like Arvest Bank, Bank of America, and Santander. This event exemplifies the type of disruption DORA aims to prevent, highlighting the importance of robust IT infrastructures and resilient operations.

In addition to mandated regulations, financial institutions are also leveraging advanced technologies to combat financial crimes. AI and generative AI play a vital role in detecting illicit activities. Through sophisticated algorithms, institutions can identify patterns and anomalies in vast amounts of data to fight crimes like money laundering. Nikhil Aggarwal from Deloitte Transactions and Business Analytics explained that visualizing broader networks allows deeper investigations into criminal rings, revealing interconnected threat patterns and enhancing security measures.

AI’s ability to analyze large datasets is a cornerstone in combating financial crime. Dagan Osovlansky from ThetaRay noted that AI facilitates a risk-based approach, learning normal customer behavior patterns to spot anomalies without human oversight. This technology is utilized by over 100 institutions, including Santander, monitoring transactions worth over $15 trillion. Although early stages, these AI implementations have reduced false positives significantly, improving compliance and operational efficiency.

Financial institutions face a challenging journey towards DORA compliance. The integration of AI and a focus on digital operational resilience will be crucial. The sector must address data availability and quality issues to maximize the potential of advanced technologies. As the deadline approaches, firms must intensify their efforts to align with DORA’s comprehensive framework, ensuring robust defenses against future disruptions.

News Sources


Assisted by GAI and LLM Technologies

Additional Reading

Source: ComplexDiscovery OÜ

The post Exploring DORA: Financial Sector Prepares for Comprehensive Digital Resilience appeared first on ComplexDiscovery.

Alan N. Sutin

Alan N. Sutin is Chair of the firm’s Technology, Media & Telecommunications Practice and Senior Chair of the Global Intellectual Property & Technology Practice. An experienced business lawyer with a principal focus on commercial transactions with intellectual property and technology issues and privacy

Alan N. Sutin is Chair of the firm’s Technology, Media & Telecommunications Practice and Senior Chair of the Global Intellectual Property & Technology Practice. An experienced business lawyer with a principal focus on commercial transactions with intellectual property and technology issues and privacy and cybersecurity matters, he advises clients in connection with transactions involving the development, acquisition, disposition and commercial exploitation of intellectual property with an emphasis on technology-related products and services, and counsels companies on a wide range of issues relating to privacy and cybersecurity. Alan holds the CIPP/US certification from the International Association of Privacy Professionals.

Alan also represents a wide variety of companies in connection with IT and business process outsourcing arrangements, strategic alliance agreements, commercial joint ventures and licensing matters. He has particular experience in Internet and electronic commerce issues and has been involved in many of the major policy issues surrounding the commercial development of the Internet. Alan has advised foreign governments and multinational corporations in connection with these issues and is a frequent speaker at major industry conferences and events around the world.