The EU’s DORA Rules Are Coming: Here’s What U.S. Banks and Tech Firms Need to Know

DORA is not just a European headache.

The Digital Operational Resilience Act, a groundbreaking set of cybersecurity regulations for the financial services industry passed by the European Union (EU) last year and open for public comment this summer, will reverberate in the U.S. and around the world. The rules require finserv firms doing business in the EU, along with the companies that supply them with technology and communication services, to improve their cybersecurity practices, especially when it comes to incident response—or face serious repercussions.

“There is no DORA lite,” explains Rois Ni Thuama, head of cyber governance at security vendor Red Sift. For businesses based inside or outside the EU, “the impact is the same.”

Accelerate IT ops and incident response tasks on a single platform—and in real time—before threats spread across your network.

Penalties for DORA violations can be steep. While fines or criminal sanctions are not written into the DORA regulation, individual EU nations can institute penalties and criminal sanctions into their national laws, which may include fines of up to 2% of an entity’s total annual worldwide revenues or 1 million euros per individual.

Fortunately, getting DORA-compliant has a significant upside.

Though the new rules don’t go into effect until January 2025, international law firms are advising financial services firms and third-party suppliers like cloud-services providers that the time to act—and ensure that they’re operating in compliance with the new rules—is now.

Fortunately, getting DORA-compliant has a significant upside. “Compliance with DORA offers significant benefits to those who adhere to its explicit requirements and underlying principles,” says Ni Thuama. “The economic advantages are substantial, leading to improved decision-making and avoiding the costs associated with neglecting known threats.”

Details on DORA

DORA’s regulatory reach runs wide. Most financial services firms, including payment providers, electronic money vendors, accounting information service providers, investment firms, management companies, trading companies, brokers, insurers, crypto-asset service providers, and more, fall under its purview.

The law also covers providers of information and communication technology (ICT) services, which includes digital and data services providers—cloud providers, data center services, hardware services, and electronic communications services providers, aside from those providing analog telephone lines.

DORA’s requirements are prescriptive, with a strong focus on incident-response capabilities. DORA requires firms to have business continuity plans for their operations, including critical functions outsourced or contracted through ICT service providers. Covered entities must also perform risk assessments and be able to show how they are effectively managing their risk. Firms should also be prepared to share their ICT risk management framework and internet governance and control frameworks with regulators to show how they identify, assess, monitor, and manage ICT risks.

[Read also: Besides prepping for tomorrow’s regulations, financial services firms must also defend against last year’s threats, which are intensifying in 2023]

None of this is terribly new. Experts have advised such measures for years, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published and publicized its incident and vulnerability response playbooks in 2021 in an effort to get businesses and government agencies to adopt better and more standardized practices, yet many firms have been slow to act.

Cybersecurity firm SecurityScorecard recently analyzed 240 of the largest financial institutions in the EU that must comply with DORA by the January 2025 deadline. The firm found that 78% of financial institutions experienced a third-party data breach in the past year and that 18% of these firms had a cybersecurity rating of a C or below. According to SecurityScorecard, firms rated as a C have a seven-times-higher chance of being breached than those with an A rating. According to the firm, the factors that inform the rating include endpoint security, patching cadence, ransomware score, DNS health, IP reputation, cubit score, and network security.

DORA’s goal is to ensure a more resilient risk posture. “It’s good to see a focus on resilience,” says Wim Remes, operations manager at security firm Spotit. “This set of regulations aims to move entities away from simply checking the boxes when it comes to regulatory mandates,” Remes says, to a more holistic (and more effective) strategy of risk management.

[Read also: Why cyber resilience can benefit from a “left of bang” strategy (courtesy of the U.S. Marines)]

The EU isn’t the only region shifting toward digital resilience. Banking regulators in the U.S., including the Federal Reserve Board, Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation, concurrently issued the Sound Practices to Strengthen Operational Resilience guidance, outlining the practices expected of large banks to address the operational risk associated with cyberattacks, natural disasters, and pandemics.

What financial firms and their tech providers must do to prepare

Large technology providers, such as Google Cloud, are already making the changes they need to become DORA-compliant. In a detailed blog post, the Google Cloud team explained that they’ve brought together subject matter experts from risk and compliance, security, legal, government affairs, and product teams who are preparing compliance plans where needed. “These plans build upon our strong foundation in areas like security, resilience, and third-party risk management that already enable our EU financial services customers to address their rigorous regulatory expectations,” Google wrote.

This set of regulations aims to move entities away from simply checking the boxes when it comes to regulatory mandates.

Google is also preparing for their likely designation as a critical technology provider and the annual engagements that will be required, along with providing oversight plans, inspections, recommendations, and advice to customers on incident reporting.

The Google playbook is an excellent one to follow: Firms should baseline where their capabilities exist against DORA’s requirements and close any identified gaps.

The great thing about DORA is that it does not require novel thinking. “In fact, it essentially requires that financial entities follow best practices,” Ni Thuama says.

Ni Thuama advises covered financial services firms and technology providers to self-assess across six areas: governance, risk management, reporting, testing, third-party risk, and information sharing. “They need to plot those key areas, determine where they are today with respect to each of those key areas, and fill those gaps, assuming there are gaps,” she advises.

[Read also: The EU is taking the lead in regulatory initiatives—and its recent landmark AI Act will put the U.S. in 3rd (maybe 4th) place]

Where to start? Ni Thuama recommends firms check out the ICT Risk Management Framework and then identify their testing requirements. Businesses, she says, should “schedule periodic testing of tools and systems to assess preparedness and correct for any weaknesses, deficiencies, or gaps.”

Ultimately, DORA demands firms do what they should already be doing, notes Scott Crawford, information security research head at 451 Research. And we should expect that same focus on resilience from regulators everywhere. “You’re going to continue to see regulations that ensure companies can respond to significant cyber events, whether it’s denial-of-service attacks or ransomware—no matter what form those events take,” he says.

Deadline to voice your views on the new DORA rules

Security leaders are going to face new regulations and legal risks, that’s for sure. And for CISOs who’d like to have their opinion heard regarding DORA and its impact—or perhaps how the regulation can be improved—there’s still time. Security and business leaders have until Sept. 11 to share their thoughts regarding four sets of draft regulatory standards. To read up on each draft and submit comments, click here.