The Digital Operational Resilience Act (DORA) of the European Union (EU) recognizes the importance of cloud technology in the banking industry while emphasizing the potential risks of service outages. The EU has previously imposed significant fines under GDPR, setting a precedent for technology companies. DORA, which will be enforced from 2025, introduces penalties for non-compliance, including a periodic payment of 1% of average daily worldwide turnover. The purpose of DORA is to address ICT risk management in financial services and establish a framework for managing and mitigating risks by eliminating gaps and clashes between existing regulations. However, current risk management regulations have primarily focused on financial institutions’ financial resources and capital, resulting in varying requirements and patchy regulations across EU nations. DORA’s scope extends to include third-party ICT service providers, cloud providers, and management solutions that support financial services organizations. It consists of five core pillars: ICT risk management, ICT related incident reporting, digital operations resilience testing, ICT third party risk, and information sharing. Organizations should prepare for DORA by building their Digital Resilience Framework, improving their capabilities and processes, and conducting required evaluations, tests, and reports. DORA will take precedence over overlapping regulations, making it the main reference point for compliance. Achieving compliance requires a cultural and procedural shift, involving collaboration between teams and the sharing of information. Internal cooperation and governance are vital, and organizations should invest in these areas to ensure DORA compliance. Taking a preventive approach rather than a reactive one is crucial to avoid costly consequences.
Menu
