Financial sector prepares for EU DORA regulations in 2025

The financial sector is preparing for the introduction of the European Union's Regulation on Digital Operational Resilience for the Financial Sector (DORA), set to take effect from 17 January 2025.

Jonathan Armstrong, Partner at Punter Southall Law and an expert in compliance and technology law, provides insights on DORA's implications for financial services in the EU and worldwide. He stated, "DORA is a regulatory framework designed to strengthen the resilience of the financial sector against digital disruptions. It applies to banks, insurers, investment firms, and other financial institutions, as well as to key third-party service providers, like cloud computing services."

Armstrong highlighted the regulation's fundamental objective, noting, "At its core is the recognition that financial systems across the EU are part of each country's critical national infrastructure. Many financial services organisations rely on a few key services providers, meaning that an incident compromising one of those providers could have a significant effect on financial services across the EU." The global IT outage last July involving cybersecurity firm CrowdStrike and its connections to Microsoft's systems underscored these vulnerabilities.

Armstrong further explained, "DORA has caused concern in the financial services, tech and cyber security communities so it's important for businesses to understand fully their responsibilities. Whilst DORA is an EU measure, operational resilience is high on the agenda for UK financial firms too, with operational resilience requirements introduced in 2022 coming into full effect in March 2025."

DORA aims to consolidate and enhance Information Communication Technologies (ICT) risk requirements across the EU financial services sector, ensuring consistent standards are met to mitigate ICT risks, including cyber security threats. Its influence also extends beyond financial services, impacting supply chain resilience.

The framework establishes various requirements, such as dedicated ICT risk management capabilities, reporting of major ICT-related incidents, digital operational resilience testing, ICT third-party risk management, and sharing of information among financial entities.

DORA introduces an EU oversight framework for critical ICT providers, notably cloud service providers. It is binding legislation directly applicable in Member States, though the DORA Directive requires transposition into each national law. Member States will determine penalties and remedial measures, which may apply to natural and legal persons, with the possibility of criminal penalties for breaches of DORA, highlighting a trend toward personal liability in regulatory compliance.

Regarding the UK, while DORA is not applicable to its financial sector, operational resilience remains a priority, with a regime reflecting similar key elements. UK firms must identify critical business services, set impact tolerances, conduct mapping exercises, carry out scenario testing, review lessons from disruptions, develop communication strategies, and undertake self-assessments approved by the board.

The UK's Financial Conduct Authority and Prudential Regulation Authority's operational resilience rules came into force on 31 March 2022, with a transition period ending in March 2025. Notable fines have been imposed, such as TSB's penalty of GBP £48.65m in December 2022 for operational risk management and governance failures due to IT system issues.

Jonathan Armstrong advises that businesses within or associated with the DORA regime should evaluate how to meet their obligations, identifying the process as potentially a significant project. Recommended steps include conducting a gap analysis, training staff on operational resilience, ensuring preparedness for incident response, assessing board and management expertise, and revising contracts with third-party providers.

Armstrong concluded, "Financial services firms are required to have in place sound, effective and comprehensive strategies, processes and systems that enable them adequately to comply with the applicable operational resilience requirements. Organisations should seek specialist advice to ensure they fully understand how DORA and the UK rules apply to them."