Digital Operational Resilience Act (DORA): Challenges and Opportunities for Financial Institutions
Introduction
As of January 17, 2025, all EU financial institutions are required to implement the Digital Operational Resilience Act (DORA), a new EU regulation aimed at increasing cybersecurity in the financial sector. A recent survey by metafinanz found that the average implementation rate in medium-sized financial companies is around 45%, with none of the surveyed organizations expecting to meet the deadline.
The biggest challenges
The authors of the study attributed this to the late publication of technical standards with detailed regulations. According to the German Insurance Association (GDV), some technical details are still unclear. One of the key points is the management of third-party risks. Financial institutions must not only control internal IT risks but also consider threats from third-party providers and their subcontractors. "For contract management with service providers, the outstanding specifications for sub-contracting need to be finalized quickly," said Jörg Asmussen, Chief Executive of GDV.
The need for a clear focus on long-term resilience
Ron Kneffel, Chairman of the CISO Alliance, confirmed that many companies have not yet completed all the necessary measures. "The biggest hurdles remain in renegotiating existing contracts with IT service providers and partners, as well as creating and maintaining detailed information registers," he explained. "The integration of new regulatory requirements into existing processes is a significant challenge, particularly without disrupting ongoing business operations."
The estimated costs for implementation
The estimated costs for implementation will vary. "The expenses depend on the complexity of the requirements, which will range from moderate to high," said Kneffel.
DORA can be costly if not implemented on time
According to Versicherungswirtschaft Heute, DORA can be expensive if not implemented by January 17. The fine from the financial supervisory authority Bafin depends on the financial institution’s behavior.
Opportunities for improvement
Kneffel sees a silver lining in the use of IT-supported solutions and outsourcing IT security services. "Specialized tools and services are being used, and the potential of artificial intelligence (AI) is being evaluated. These technologies offer enormous potential to accelerate compliance processes and optimize them, although their implementation requires additional resources."
Conclusion
The implementation of DORA presents both challenges and opportunities for financial institutions. While the process may be complex and time-consuming, the benefits of increased cybersecurity and operational resilience are well worth the effort. By prioritizing the remaining tasks, coordinating between departments, and focusing on long-term sustainability, financial institutions can overcome the hurdles and achieve the desired level of digital resilience.
FAQs
- What is the Digital Operational Resilience Act (DORA)?
DORA is a new EU regulation aimed at increasing cybersecurity in the financial sector. - What is the deadline for implementing DORA?
The deadline is January 17, 2025. - What are the biggest challenges in implementing DORA?
The biggest challenges include the late publication of technical standards, the need to renegotiate existing contracts, and the integration of new regulatory requirements into existing processes. - What are the estimated costs for implementation?
The estimated costs will vary, ranging from moderate to high, depending on the complexity of the requirements. - Can DORA be implemented too late?
Yes, if not implemented on time, DORA can be expensive, with fines from the financial supervisory authority Bafin. - What are the opportunities for improvement?
The use of IT-supported solutions and outsourcing IT security services can help overcome the challenges, with the potential for artificial intelligence (AI) to accelerate compliance processes and optimize them.
