The Digital Operational Resilience Act (DORA) introduces stricter cybersecurity rules for financial companies and their tech providers. Its goal is to protect the financial sector from IT disruptions and new cyber threats.
Who Does DORA Apply To?
DORA covers financial businesses in the EU, such as:
- Banks
- Crypto service providers
- Trading platforms
- Insurance companies
It also applies to their critical IT and communication service providers, even if those providers are based outside the EU. If a provider is labeled “critical” by European regulators, they’ll need to set up an office in the EU. The first designations of critical providers are expected later in 2025.
What Are the Key Requirements?
Under DORA, financial companies must improve their cybersecurity practices. Requirements include:
- Reporting incidents within four hours
- Testing systems for resilience
- Managing risks with third-party providers
- Monitoring cyber threats
Contracts with IT providers (like cloud services, cybersecurity vendors, and communication platforms) must meet specific DORA standards. This means DORA will impact not just financial companies but also many of their service providers, regardless of location.
What Happens If You Don’t Comply?
Non-compliance can lead to serious penalties. Regulators can:
- Impose fines (up to €5 million or 10% of annual revenue, depending on the country)
- Suspend management positions
- Pursue criminal charges
How to Prepare
Financial companies should:
- Review their cybersecurity processes
- Update incident reporting procedures
- Ensure contracts with IT providers meet DORA standards
Service providers should:
- Anticipate customer questions about compliance
- Prepare to update contracts to align with DORA
Starting January 17, 2025, these rules will reshape how financial companies and their tech providers manage cybersecurity.
Cookie Consent with Real Cookie Banner