t has been said that if a butterfly flaps its wings in the Serengeti, it can change the climate half a world away. Similarly, if an EU regulator enacts regulation in the EU Commission, it can have a major impact as far away as the United States.
We saw this through the ubiquity of website cookie notices and recent state-level laws like the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), which, if nothing else, took some inspiration from the EU’s General Data Protection Regulation (GDPR).
Get ready for another EU regulation that, while not directly applicable in the United States, will nonetheless have a major impact on compliance at U.S. organizations. The Digital Operational Resilience Act (DORA) will be similarly impactful once it comes into force on January 17, 2025—especially for those in the financial services industry.
Nominally, DORA is a cyber-resilience regulation aimed at protecting the operational stability of the European financial services industry. It is the first ever EU regulation of its kind that targets resilience at a sectoral level and, partially speaking, is an extensive suite of requirements for financial institutions and businesses that provide services to them around how information and communication technology (ICT) contracts should be written, risks assessed, incidents reported and security systems tested, among other things.
Like any good EU regulation, DORA will come with large potential fines (one percent of global turnover) for violators.
DORA Is Not Just an EU Regulation
The key thing auditors need to understand about DORA, especially as they are being asked to take on more risk-based responsibilities, is that DORA is very broad. It creates significant regulatory risk for potentially tens of thousands of entities in and outside the EU.
According to a recent McKinsey survey, most EU financial entities have started their journey towards DORA compliance, but only a third expect they will be ready on time for January 17. Globally, the state of DORA readiness is likely far lower.
This is important because, like the GDPR, DORA does not just apply to the 22,000 or so financial entities based in the EU. Instead, it is enforced based on where an organization’s customers are based. This means that if a financial institution in the United States, the United Kingdom, or any other location outside the EU deals with EU customers, there is a strong chance that DORA applies to them.
The best starting point for a compliance officer or internal auditor to see whether their organization falls under DORA is to look at the list of financial entities that are not in DORA’s scope.
Organizations excluded from DORA include non-financial entities, (some) alternative investment fund managers, very small insurance and reinsurance firms, financial entities outside the EU that do not serve the EU financial sector, and some others like post office GIRO institutions and small occupational pension funds.
As a rule, if a financial institution trades actively and is large enough to have EU-based customers, it will need to comply with DORA’s rule sets. Fintechs, crypto brokers, hedge funds, asset managers, and more traditional banks and financial institutions will all be impacted.
What Types of Companies Does DORA Cover?
Some organizations will have more stringent DORA requirements than others. A large multinational bank, for example, with complicated ICT systems and a lot of interdependent relationships will have relatively tough requirements.
To comply with DORA, an entity like this will likely have to conduct threat-led penetration testing (a form of offensive cybersecurity exercise in which you test IT systems against realistic cyber-attack scenarios and threats) at least every three years and other security testing on an annual basis.
They will also need to be able to report ICT incidents, such as data breaches, within 24 hours for significant events and conduct detailed third-party risk assessments for all critical ICT service providers. Ideally, the entity in question will already be ahead of this task, and the compliance officer or internal auditor’s job will not change to a great degree due to DORA.
A smaller organization, like an investment firm with a more basic ICT infrastructure that is less critical to the overall financial services industry, will have different requirements. They will have longer windows for incident reporting (72 hours) and simpler third-party risk requirements. Testing will still be required but on a less stringent basis.
Although many smaller organizations may have slightly less to do to become DORA compliant, they may find that many of DORA’s requirements, like threat-led penetration testing, are completely new to them.
Microenterprises, “very small entities,” defined as having a revenue of less than €2 million per year ($2.11 million) and less than 10 employees, and simple IT environments will have much lighter compliance requirements.
Critical Third Parties Covered by DORA
Another quirk of DORA is that it’s not just applicable to financial institutions but will also impact businesses that serve them, such as companies that provide services that are essential to the EU financial services industry, but are not financial institutions themselves. Some of these businesses will be designated as Critical ICT Third-Party Service Providers (CTPP) and have especially strict requirements.
An essential requirement for ICT third-party service providers to be considered critical by DORA is that they must provide ICT services that support critical or important functions to at least 10 percent of the financial entities for any given category, as defined in DORA. “Critical or important functions” refer to functions whose discontinued, defective, or failed performance would materially impair the financial entity.
In a broad sense, a CTPP is a service that, if it fails, would cause serious damage to a significant portion of the EU financial services industry. A company is designated as such, either by voluntarily declaring itself to be a CTPP or by being appointed as such by a European Supervisory Authority, such as the European Banking Authority. Major cloud service providers like Google Cloud, for example, will likely become CTPPs and have been taking steps to comply with DORA for quite some time.
Compliance Matters
Sectoral, global, and coming into force in less than six months by the European Commission, DORA will become a mainstay of boardroom conversation in 2025.
Hopefully, this article will help compliance officers and internal auditors better understand who is and isn’t covered by DORA. In practice, DORA compliance is a significant top-down effort. The average major financial services industry organization will dedicate significant resources to DORA compliance.
Nikos Vassakis is the Head of Consulting Services at SECFORCE, an IT security and cybersecurity firm based in London, U.K.