DORA Takes Effect: Financial Firms Navigating Compliance Headwinds

The EU’s Digital Operational Resilience Act (DORA) is here. The new legislation officially entered into force on January 17, 2025, and organizations falling under DORA’s scope can now face substantial penalties for non-compliance.

The legislation aims to enhance cyber resilience in the financial sector and reduce the prevalence and impact of critical disruptions from cyber events, which have the potential to cause major damage to the global economy.

The provisions apply to banks, insurance and investment companies. Third-party IT providers within the financial industry are also in scope. Although DORA is an EU law, it also applies to many global organizations that operate in the region.

DORA has five core focus areas:

• ICT risk management 
• ICT third-party risk management
• Digital operational resilience testing
• Incident reporting
• Information sharing.

As well as a focus on resilience, the law also seeks to address rising supply chain and third-party risks.

With DORA now in force, Infosecurity has explored the readiness levels of financial institutions to meet the DORA deadline, and some of the compliance challenges on the horizon.

Regulators to Take a Tough Stance

Financial entities were given a two-year transition period to implement the DORA requirements. As a result, many expect that regulators will take a tough approach on non-compliance.

“Compliance with DORA is non-negotiable, and regulators will expect tangible progress,” explained Madelein van der Hout, Senior Analyst at Forester.

Organizations that fail to comply with the DORA risk facing a range of significant and far-reaching consequences, including fines and reputational damage.

Non-compliant organizations can incur fines up to 2% of their global annual turnover or €10m ($10.2m), whichever is higher.

Third-party organizations may also face fines of up to 1% of their average daily global turnover for each day of non-compliance, for up to six months.

Additionally, regulatory authorities have the power to limit or suspend non-compliant financial firms’ business activities until they achieve full compliance.

In severe cases, non-compliance can result in a temporary suspension of operations, effectively halting business. Such penalties could have an even bigger financial impact than fines.

Notably, DORA includes individual liability for business leaders for their firm’s compliance failures, who can receive a maximum penalty of €1m ($1.02m).

Read now: 2025: A Critical Year for Cybersecurity Compliance in the EU and UK

Compliance Levels Expected to be High

Given the stakes, there are positive signs around organizations’ preparedness to comply with the new rules.

Large financial firms, already operating in a highly regulated sector frequently targeted by sophisticated cyber-attacks, tend to have strong cyber resiliency built into their systems.

Speaking to Infosecurity, Pat Opet, Global CISO at JPMorgan, said that the banking giant generally views its compliance obligations as “necessary provability” for its security controls.

Regarding DORA, Opet noted that the firm, alongside other large global financial institutions, has placed significant emphasis on aspects such as response and recovery and third-party security over recent years.

“We’ve actually changed our third-party obligations over the past several years to ensure that third parties are institutionalizing response and recovery to the extent that we expect them to,” commented Opet.

Grant Harper, Global Lead for Financial Services at IT software monitoring firm, ITRS, said that anecdotally, he has observed high levels of industry readiness.

“Firms have had years to prepare, and the various supervisory authorities responsible for the implementation have been proactive in providing education and resources to ensure all participants understand the requirements,” he commented.

Van der Hout said she expects global financial companies based outside of the EU to align their practices with DORA to remain competitive and ensure interoperability with EU clients.

Compliance Challenges Remain

Despite the positive signs, there are aspects of DORA that are causing compliance concerns.

A report by Orange Cyberdefense found that 43% of the UK financial services industry will miss the DORA compliance deadline and will not be compliant for at least three months.

Compliance delays appear to be primarily related to the provisions around ICT third-party risk management. DORA requires firms to collate information about their contracts with IT providers into a register.

Simon Treacy, Financial Regulation Senior Associate at law firm Linklaters, said he expects many organizations to continue work on the registers beyond the January 17 deadline.

“EU financial firms have accelerated their DORA implementation projects in recent months but, for many, there remains a lot to do. Focus areas include the DORA register and updating IT contracts,” he explained.

Treacy added that EU regulators are expected to start asking for this information in Spring 2025. This will give firms a few months to improve the data quality and completeness of their registers and consider recent feedback from the European authorities.

Some of the secondary legislation and part of the Q&A guidance are also pending around the area of third-party IT services, complicating matters further for impacted entities.

Treacy commented: “The European legislators are still working on detailed rules which relate to subcontracting ICT services and threat-led penetration testing. We are also expecting guidance from the European Commission on the scope of ‘ICT services’ under DORA. Depending on the outcome of these rules and guidance, firms may have to extend their implementation projects.”

Another significant issue is the financial cost involved in complying with DORA. Cost is especially challenging for smaller financial firms that may not have the resources to identify risks across their entire IT estate and supply chain.

A report by Rubrik found that around half of financial organizations in the UK have spent over €1 million on DORA compliance.

A major component of these costs relate to the core DORA requirement to establish robust processes to identify and assess IT risks.

Harper noted that achieving complete visibility over a company’s IT stack is a significant undertaking.

“This is no small task, particularly for financial entities with complex, multi-cloud environments. Implementing monitoring and observability solutions will provide visibility and real-time insights into system performance, detect anomalies and support identification of vulnerabilities before they escalate,” he explained.

DORA Introduces “Burdensome” Incident Response Rules

DORA has introduced stringent incident reporting requirements on impacted entities.

Initial notification of “major” incidents must be made to the relevant competent authority just four hours after determining the incident is classified as such.

A major incident is defined as one that impacts critical services, such as the systems that support the organization’s important functions.

Then, a detailed intermediate notification must be made within 72 hours of classifying the incident as major.

Opet said this is a time-consuming task while in the process of responding to such a cyber-attack.

A final report must be made no later than one month from the “major incident” classification.

Many current and upcoming EU legislation have differing rules around cyber incident reporting, including NIS2, the General Data Protection Regulation (GDPR) and the Cyber Resilience Act (CRA).  

Some experts have argued this lack of consistency creates significant costs and complexities for businesses, including in the financial sector.

The Federation of European Risk Management Associations (FERMA) warned in an October 2024 report that compliance with these various EU rules will often result in organizations having to report incidents to different authorities within different timeframes.

JPMorgan’s Opet said this issue is a significant concern to the bank.

“The more we see regulatory fragmentation, the harder it makes it for us to have consistency in the control outcomes that we expect. Therefore, we’re big supporters of regulatory harmonization,” he explained.

Opet also described the reporting requirements in DORA itself as “burdensome” for global organizations operating in multiple EU countries.

“The fact that we have got to report incidents for every legal entity in any country that’s subject to this regulation, and also individually report on the impact of an incident relative to that legal entity when we’re a multi-provider business, is very taxing,” he said.

Conclusion

DORA is a significant piece of legislation, which represents the growing recognition supply chain risks and the fact that cyber incidents can happen at any time, even with the most stringent measures in place.

Large financial firms have developed robust defenses to protect the critical data they store. Many of the DORA requirements will reflect the work they have already done in areas such as third-party risk management.

However, major compliance challenges remain. This includes setting out contractual relationships with third party IT providers, the rules for which have not yet been finalized.

There are also concerns about the practical implementation of DORA’s stringent incident reporting requirements for financial entities.

Infosecurity will continues to report on the impact of the rules over the coming months, any potential revisions and any penalties issued to those who fail to meet the requirements.