The EU’s Digital Operational Resilience Act (DORA) will apply to a broad range of financial companies in Europe from 17 January 2025. The new regulation aims to strengthen the IT security and resilience of firms and, as a result, the broader financial sector. It brings new requirements regarding the way firms manage third-party risks. In this blog, we look at five key takeaways from DORA which companies should prepare for, and explain why a focus on credible data and technology can help firms to improve their resilience and risk management.
DORA: a regulatory shift with widespread application
The clock is ticking. After years of discussion, DORA will finally come into effect on 17 January 2025. The backdrop to the EU’s new regulation is that financial companies are becoming increasingly dependent on technology to deliver their essential services. AI, cloud-based platforms and other technologies are now widely used to power various activities, including:
- Customer relationship management
- Customer due diligence and Know-Your-Customer verification
- Loan and credit decisions
- Investment strategy
The technology and data which firms use for these applications is commonly provided by third parties. This offers financial firms efficiency savings and quicker time to insights. But relying on technology also makes firms more vulnerable to cyber-attacks or other incidents which disrupt their services and put their customers at risk. Moreover, the critical role of third parties means an incident arising may be outside the financial firm’s control.
DORA applies widely to 20 different types of financial companies and third-party technology providers operating in the EU, including banks, credit institutions, payment institutions, e-money providers, investment firms, and crypto-asset service providers. In fact, all European financial firms would be wise to prepare for the regulation. As Germany’s financial regulator BaFin advises: “In future, most supervised financial entities will be obliged to company with DORA”.
The EU says DORA aims to “strengthen the IT security of financial entities” and ensure the sector’s resilience in the event of severe disruption. It introduces new requirements for firms to improve their “digital operational resilience” across six key areas:
- ICT risk management
- ICT third-party risk management
- Digital operational resilience testing
- ICT-related incidents
- Information sharing
- Oversight of critical third-party providers
The full 79-page regulation has been published on the EU’s website. But here are five takeaways from DORA which should guide how companies address the new obligations:
- Invest time and resources in your digital operational resilience
DORA brings together a patchwork of regulations and guidelines into a single regulatory framework to assess companies’ digital operational resilience, and firms must not underestimate its significance. The German regulator’s guidance for implementing DORA warns firms that it requires a “new strategy for digital operational readiness” which focuses on “ICT risk management” and “third-party risk management”. While a PwC report describes DORA as “a game changer” and a sign the “level of expectation [from regulators] has increased even more”.
- Put in place a risk management strategy for your use of technology and data
A key requirement of DORA is for companies to implement a risk management strategy to ensure digital operational resilience. This means establishing governance to identify, monitor and oversee all technology-related risks and potential incidents.
A firm’s strategy should be proportionate to its size and the nature and importance of the digital risks it has identified. It should consider and cover a wide range of elements related to technology risk, including:
- Mapping out ICT systems
- Identifying and classifying critical assets and functions
- Conducting ongoing risk assessments on ICT systems, including cybersecurity threats and mitigations
- Testing ICT systems against various scenarios and disruptions
Improve your oversight of third parties and their risks
Providers of critical services for financial firms, such as technology and data analytics companies, need to comply with the Act. But crucially, DORA also holds financial firms accountable for their third parties’ compliance with digital operational resilience requirements. Firms are now required to map out their third-party ICT dependencies, and they will be held accountable for their third parties’ resilience failures.
Firms should therefore carry out proper due diligence on all third parties to assess their compliance and their risks and consider inserting clauses in contracts and service-level agreements to ensure high standards of digital operational resilience are met.
- Expect strict penalties for falling short
As of 17 January, DORA will be fully enforceable by financial regulatory authorities on an EU level and in EU member states. Firms who cannot demonstrate compliance with the new requirements could face enforcement action and strict penalties, including:
- Up to 2% of a company’s annual global revenue
- Up to $1.1 million sanctions for individual executives
- Up to 1% of revenue for an IT provider
- The threat of ongoing daily fines until the breach is remediated
The size of these fines, and the associated reputational and strategic damage of an enforcement action, means that any firm seeking to save money by cutting corners on digital operational resilience will find this false economy. McKinsey found “leading EU financial institutions” are spending an average of €5 million to €15 million on planning. While the amount a company needs to invest will depend on its size and risk levels, strategic investment in credible data and compliant technology is advised for all companies.
- Prioritize quality and safety of data and technology
Yet financial investment alone will not be sufficient to ensure a firm’s compliance with DORA. At the heart of its requirements is the need for firms to think carefully about the technology services they use and onboard, and the security and credibility of the data powering that technology. As PwC’s report put it, they need to “develop a true culture of digital operational resilience”.
An increasingly effective way banks are meeting increasing expectations around their use of technology and data is by implementing a Responsible Business approach. This means considering the safety and privacy of technology and data, and the impact on people and society, alongside or even above profit motives. This is particularly important for financial companies, because the consequences of an IT security breach could be harmful to large numbers of customers. A Responsible AI approach should therefore be considered by banks seeking to overcome both DORA and non-DORA risks around their reliance on technology providers.
Improve trust in your use of technology with credible data from LexisNexis®
LexisNexis offers data and technology to help along their journey to compliance with DORA and wider expectations around their resilience. Our advantages include:
- Comprehensive data: Nexis Diligence+ provides an in-depth content collection and comprehensive, 360-degree view of people and companies that sets a higher standard for thoroughly assessing third-party risk.
- Integrated data: Our API solution, Nexis® Data+, enables you to integrate our enriched data into your existing tools and platforms. It offers direct access to our extensive data universe, encompassing news, legal, company, financial, biographical sources, ESG ratings, academic journals, compliance data, and more.
- Credible data: As an established data provider for over 50 years, LexisNexis has extensive, long-standing – and in some cases, exclusive – content licensing agreements with publishers worldwide. This ensures our data does not compromise the intellectual property of our publishers or the data security and privacy of individuals.
- Responsible technology: We consider the real-world impact of our technology and data solutions on people by placing the advancement of the Rule of Law at the core of our business strategy and following the RELX Responsible AI Principles.