If 2025 will inevitably see the first DORA-related fines being issued, then early preparation can ensure it’s not your company on the receiving end, says Darren Thomson of Commvault
The EU’s Digital Operational Resilience Act (DORA) is coming and promises a risk management framework for the financial sector. However, penalties for non-compliance are high – potentially as much as 2% of total worldwide annual revenue depending on the severity. The EU has already issued over €4bn in GDPR fines since 2018, so organisations need to be properly prepared to avoid onerous fines from DORA.
DORA’s stated goal is to bolster the IT security at banks, insurance companies, and investment firms, increasing resilience in the event of operational disruption. Practically, this means harmonising resilience rules across 20 varied types of financial entity as well as third-party IT suppliers. Ensuring the correct measures and procedures are in place to guarantee compliance becomes a significant responsibility, with many stakeholders in play.
The regulations focus on several principal areas, ranging from ICT risk management and digital resilience testing, to information sharing and deploying an oversight framework for vital third-party suppliers. Consequently, they will have extensive impacts on financial organisations and IT partners who conduct business without the proper controls in place.
With less than a year until DORA comes into force, now is the time to begin preparing and ensuring those controls and processes are up and running in good time. Here are five fundamental starting points to consider before 17 January 2025 rolls around:
Form cross-department teams
Regularly collaborating with professionals and stakeholders from important departments, such as IT, cybersecurity, compliance, risk, and legal will help develop and implement a successful DORA strategy. At the same time, other areas – such as marketing, sales, HR, and customer service – should also be involved because they are also on the frontline of cyber vulnerability. By taking a genuinely company-wide approach, organisations can create a comprehensive and proactive cybersecurity policy, uncovering risks in otherwise overlooked areas.
Secure leadership buy-in
According to DORA, the board of directors and C-suite officers must demonstrate the requisite knowledge to understand and measure digital risks. That means companies can leverage the active participation of senior staff to promote DORA throughout the business. This will draw attention to the subject’s importance, providing encouragement for employees at all levels to take an urgent interest. Leading by example from the top will put DORA preparations front and centre, rather than simply paying lip service to the principals and thus leaving the company exposed to breaches and worse.
Assess current processes and vulnerabilities
The early identification of any shortfall between current security and resilience status and DORA requirements is vital. Any gaps can then be bridged well in advance of compliance deadlines. Take a particularly close look at DORA’s main areas of focus: ICT Risk Management and Governance; Incident Response and Reporting; Digital Operational Resilience Testing; and Third-Party Risk Management. Then, access external experience to authenticate procedures and assess each gap and its implications. Vulnerabilities and exposures that can cause significant disruption should be prioritised.
Establish clear objectives
Well-defined and actionable objectives are at the centre of all effective security and resilience strategies. The advent of DORA will bring such objectives under scrutiny and ensure that companies maintain a constant review of their status. At the same time, well-defined objectives allow teams across the enterprise to rank compliance priorities while ensuring any investment in security and resilience is fully in tune with DORA from day one.
Monitor for regulatory updates
As with any legislation, DORA is likely to be subtly altered over time according to market demands, and to ensure it aligns with the dynamic ecosystem it is expected to defend. Therefore, organisations should make sure they have a procedure in place to stay aware of any developments that have the potential to affect their compliance status negatively. This should work in tandem with the tools that assess and prioritise gap analysis, as well as investment plans, to ensure a virtuous circle with compliance is always at the top of the agenda.
Ultimately, DORA has the potential to transform our approach to cybersecurity and resilience for the better. By making us more robust, it opens the door to a world where digital security is given the attention it demands, and so fewer companies are exposed to severe risk. There can be no doubt that 2025 will see the first DORA-related fines issued; by preparing now, companies can avoid that unwelcome fate.
About the author
Darren Thomson is Field CTO EMEAI at cyber resilience specialists Commvault.