By Kris Lovejoy, Global Cybersecurity and Resiliency Leader at Kyndryl
The European Union’s Digital Operational Resilience Act, commonly referred to as DORA, will be enforced a year from today, Jan. 17, 2025. DORA is among several recent and emerging regulations in the EU and U.S. created to enhance and standardize requirements for enterprise cyber resiliency. DORA is specific to EU-27 financial entities — including banks, insurance companies, credit agencies and more — and third-party service providers, such as Kyndryl, that support them.
Next January may seem like a distant target. But in the complex world of financial services Information and Communication Technology (ICT), one year is hardly enough. Affected firms must strengthen (or build), pressure test and implement the critical systems and protocols that will protect both operational and personal data from adverse manipulation, destruction or theft. If they don’t, they’ll be subject to sanctions and penalties — up to and including the C-suite and board of directors — in addition to operational and reputational damage.
The average cost of each cybersecurity disruption can run into the millions of dollars — a heavy burden for small- and mid-size financial institutions.
Some industry estimates suggest that over 90% of financial services organizations are highly reliant on their IT to operate. And now regulatory compliance (and associated fines and legal fees) and cyber insurance repercussions will compound the effects of cybersecurity breaches.
Meanwhile, adverse cybersecurity events have compromised or disrupted operations of most financial services organizations over the last two years. And the average cost of each disruption can run into the millions of dollars — a heavy burden for the small- and mid-size financial institutions that DORA covers.
Over the coming year, the European Supervisory Authorities (ESAs) will further their work to develop the Regulatory Technical Standards (RTSs) relating to each of DORA’s five pillars. By Jan. 17, 2024, the ESAs will submit the first batch of RTSs to the European Commission for Risk Management Tools, Methods, Processes and Policies; the ICT Management Framework; Classification of ICT-Related Incidents and Cyber Threats; and Management of ICT Third-Party Risks.
At the same time, and through March 4, 2024, the ESAs are consulting with stakeholders on the second batch of RTSs, for Reporting Contents and Templates; Advancing Testing of ICT Tools, Systems and Processes, Based on Threat-Led Penetration Testing; Key Contractual Provisions; Designations of Critical Third-Party Service Providers; and Ongoing Oversight. By July 17, 2024, the ESAs will submit the second batch of RTSs to the European Commission for final approval.
The European Central Bank’s (ECB) recently launched cyber resilience stress test — the first of its kind for ECB — is also indicative of the significance of digital operational resilience for banks in Europe. No doubt the learnings from the ECB-supervised banks submissions will inform the conversation on how they prepare for DORA.
With little time to prepare, this could seem overwhelming to even the most sophisticated organizations. It will require nuanced guidance and support to avoid costly mistakes — especially when modernization of legacy systems is a critical part of the financial services firm’s cyber resilience journey.
Cybersecurity and resilience are central to all IT operations across every industry. Emerging regulations in the EU and U.S. will help clarify the conversation about what needs to be done, and how.