Financial organisations: Are you ready for the DORA deadline?

Time is running out.

The deadline for financial institutions to meet DORA requirements is January 2025. So, for any organisation that has yet to do so – there’s really no time to waste.

Now let’s look at the requirements, implications, and options available to meet compliance obligations.

What is DORA?

DORA was introduced in January 2023 to strengthen the financial sector’s digital resilience. It provides clear guidelines for managing IT risks, reporting incidents, testing resilience, and managing third-party risks.

Organisations were then given two years to achieve compliance by January 2025.

During this time they’ve been required to align their ICT risk management and operational resilience to DORA standards.

• January 2023: DORA comes into effect, starting the compliance clock.
• 2023-2024: Organisations should conduct gap analyses, strengthen ICT risk frameworks, and implement resilience testing.
• January 2025: Deadline for full compliance.

The rules also cover third-party providers, holding them to the same standards as financial institutions. Firms must secure their systems and ensure partners meet DORA requirements too.

Who needs to be DORA compliant?

DORA applies to a wide range of organisations within the financial services sector, including:

• Credit institutions and investment firms
• Payment and electronic money institutions
• Insurance and reinsurance undertakings
• Crypto-asset service providers
• ICT third-party providers (e.g., cloud services)

Essentially, if a financial entity operates in the EU, DORA likely applies to it. UK-based organisations may also need to comply, particularly if they have operations or partnerships in the EU.

Even post-Brexit, aligning with DORA is often necessary to maintain market access and ensure smooth cross-border relationships, given the interconnected nature of financial services between the UK and EU.

DORA’s key focus areas for resilience

DORA focuses on several critical areas to help financial services enhance digital resilience and ensure they’re prepared for evolving risks.

IT risk management

DORA sets requirements for managing ICT risks:

• Implement strong governance and controls
• Build resilient ICT systems with ongoing risk management
• Establish robust continuity and disaster recovery plans

Risk management frameworks should match the organisation’s size and complexity.

Incident reporting

DORA emphasises prompt and effective incident reporting:

• Detect, log, and manage incidents quickly
• Report significant incidents consistently to authorities
• Maintain transparency through regular updates

Effective and clear reporting helps protect the entire financial ecosystem.

Resilience testing

Testing resilience is crucial for staying ahead of threats:

• Periodically test ICT systems for vulnerabilities
• Conduct advanced tests like TLPT for high-risk organisations
• Address weaknesses promptly

Testing frequency should match the organisation’s risk level.

Third-party risk management

Managing third-party risks is essential:

• Closely manage risks from ICT providers
• Contracts should specify service levels, data locations, and exit strategies

Third-party risk is key to overall ICT risk management.

Information sharing

DORA encourages information sharing to strengthen defences:

• Share threat intelligence with other financial firms
• Collaborate to build collective defences and reduce risks

Sharing information helps the sector mitigate risks more effectively and strengthen its overall resilience.

Getting ready for DORA compliance

With the deadline approaching, it’s crucial to act now.

Here are some key steps to prepare:

1. Conduct a gap analysis
   Compare your current ICT risk practices to DORA’s requirements. Identify necessary changes in policies, processes, or tech to build a solid compliance plan.
2. Enhance ICT risk management
   Make sure you have structured frameworks in place to manage ICT risks consistently and adapt as your organisation evolves.
3. Set up incident reporting
   Ensure processes are in place for detecting, logging, and reporting incidents internally and to authorities. Make sure the team knows how to handle this effectively.
4. Plan resilience testing
   Create a testing programme that includes regular exercises and penetration tests. Address any weaknesses quickly to strengthen your resilience.
5. Assess third-party risks
   Review contracts with third-party providers to ensure DORA compliance, including clear SLAs, data handling details, and exit strategies.
6. Engage in information sharing
   Join a trusted community to share and receive threat intelligence. This can help you stay updated on emerging cyber threats and effective defences.

What happens if organisations don’t comply?

Non-compliance with DORA can lead to significant penalties. Financial authorities have the power to impose fines and other remedial measures, and for ICT third-party providers, the penalties could reach up to 1% of their average daily turnover until compliance is achieved.

The reputational damage of non-compliance could also be considerable. With DORA’s requirements being central to operational stability, failing to comply could undermine client and market confidence in the business.

DORA and other regulations

DORA does not replace existing data protection laws such as GDPR, it works alongside them.

Organisations need to consider where these regulations overlap, particularly around incident reporting. Understanding how DORA fits within the broader regulatory landscape is essential to ensure full compliance.

Why DORA matters now more than ever

Digital resilience is crucial for the financial sector. Breaches and failures can lead to significant costs, and as cyber threats grow in frequency and sophistication, financial institutions are prime targets.

Ransomware attacks or system failures don’t just cost money; they can destroy trust and reputation. Issues like data breaches or outages can even create economic instability beyond the affected firm.

DORA tackles these challenges with a unified approach. By enforcing common standards across European financial institutions, it strengthens the entire system—vital in a global economy where firms rely on complex networks of providers.

DORA also aims to future-proof financial services, requiring institutions to build flexible, resilient systems that can adapt to new threats, including those from emerging tech like AI and blockchain.

Turning compliance into resilience

DORA is not just about avoiding fines.

It’s an opportunity to enhance resilience and build trust in an interconnected financial world. The requirements are designed to not only withstand cyber attacks but also to respond effectively and recover swiftly. Ensuring stability across the financial ecosystem.

We appreciate that many organisations have already got their ducks in a row on this issue and will be confidently compliant ahead of the January deadline.

But if you’re still unsure or unprepared, then the time to act is now.

For organisations seeking guidance on how to best prepare for DORA or to enhance their digital resilience journey, reaching out to industry experts can provide valuable support.

Kocho and Evolve North are here to help

Working together in partnership means aligning Evolve North’s many years of compliance expertise with Kocho’s leadership in cyber security, secure cloud services, and Microsoft technology. Together, we’re here to guide financial organisations towards DORA compliance with confidence.

From gap analysis to ICT risk enhancement and resilience testing, our tailored support ensures financial institutions are prepared for DORA’s challenges. We offer practical, hands-on help to mitigate risks, streamline processes, and achieve full compliance before the January 2025 deadline.

Ready to align with DORA? Then get in touch here or via the link at the bottom of the page to set up a short discovery call.

And take the first steps towards strengthening digital resilience and meeting compliance requirements.

Key takeaways