The Digital Operational Resilience Act (DORA), effective from January 17, 2025, establishes a comprehensive framework to enhance the IT security of financial entities within the European Union. Its primary objective is to ensure that institutions such as banks, insurance companies, and investment firms can withstand, respond to, and recover from all types of Information and Communication Technology (ICT)-related disruptions and threats.
While DORA aims for harmonization, its implementation and impact exhibit variations across different jurisdictions, notably between Germany, the broader EU, and the United Kingdom (UK).
Germany:
In Germany, DORA applies to more than 3,600 financial institutions. The regulation took effect in January 2023, with mandatory compliance set for January 2025. The Federal Financial Supervisory Authority (BaFin) and the Bundesbank have been designated as the primary regulatory bodies overseeing its implementation. To align national regulations with DORA, Germany introduced the Financial Market Digitalisation Act (FinmadiG) in December 2024, which also incorporates the Markets in Crypto-Assets Regulation (MiCAR). This legislation repeals several existing BaFin IT supervisory requirements, including BAIT, VAIT, and ZAIT, in favor of a standardized EU-wide regulatory framework. Notably, BAIT regulations for banks will be completely phased out by December 2026.
European Union (EU):
As an EU regulation, DORA applies uniformly across all member states without requiring national transposition. However, each country retains the responsibility to define enforcement mechanisms, including regulatory authority powers and sanction frameworks through national legislation. This has resulted in varying approaches to implementation timelines, oversight bodies, and incident reporting requirements. For example, Luxembourg enacted its implementing law in July 2024, appointing the Commission de Surveillance du Secteur Financier (CSSF) and the Commissariat aux Assurances (CAA) as supervisory authorities, with the authority to levy fines of up to €5 million. Meanwhile, Ireland’s Central Bank has provided specific guidance on information registers and incident reporting, mandating financial institutions to submit their registers by April 4, 2025.
United Kingdom (UK):
While the UK is no longer part of the EU, DORA still impacts UK-based financial entities conducting business within EU jurisdictions. These firms must evaluate whether their operations fall under DORA’s regulatory scope, particularly if they participate in EU financial markets. The UK’s current operational resilience framework aligns with many of DORA’s principles but adopts a more flexible, principles-driven approach. UK firms can capitalize on their existing resilience strategies to meet DORA’s requirements, focusing on key aspects such as identifying critical business services, utilizing established structures, and integrating resilience into daily operations
Key Provisions of DORA:
- ICT Risk Management: Financial entities are required to implement robust ICT risk management frameworks, ensuring continuous monitoring and control over their digital infrastructures.
- Incident Reporting: Mandatory reporting of major ICT-related incidents to competent authorities is stipulated, promoting transparency and facilitating coordinated responses to cyber threats.
- Resilience Testing: Regular digital operational resilience testing is mandated to assess the effectiveness of ICT systems and processes in mitigating risks.
- Third-Party Risk Management: DORA emphasizes the importance of monitoring and managing risks associated with ICT third-party service providers, ensuring that outsourced services do not compromise operational resilience.
- Information Sharing: The act encourages the exchange of information and intelligence on cyber threats among financial entities to foster a collaborative defense against cyber risks.
In alignment with DORA’s objectives, at London Strategy, we offer specialized cybersecurity transformation consulting services designed to enhance organizational cyber resilience. Our comprehensive approach includes:
- Cybersecurity Maturity Assessment: Evaluating an organization’s current cybersecurity posture to identify strengths and areas for improvement.
- Implementation Programs: Developing and executing tailored cybersecurity strategies to address identified vulnerabilities and align with regulatory requirements.
- SOC Setup and Optimization: Establishing and refining Security Operations Centers to ensure effective monitoring and response to security incidents.
- Threat Intelligence and Analysis: Providing insights into emerging threats and developing proactive measures to mitigate potential risks.
- Risk Management Framework Development: Creating structured frameworks to systematically identify, assess, and manage cybersecurity risks.
- Regulatory Compliance Assistance: Guiding organizations through the complexities of regulatory landscapes, including adherence to DORA’s provisions.
By integrating DORA’s regulatory requirements with our cybersecurity transformation services, financial entities can establish a robust framework that not only ensures compliance but also strengthens their overall digital operational resilience. This synergy enables organizations to confidently navigate the evolving cyber threat landscape while maintaining the integrity and continuity of their operations.
Get in touch with us (Let’s connect – London Strategy) to discuss the specifics of your DORA compliance project.
