DORA regulations, impact and challenges for companies in the financial sector 

The European DORA (Digital Operational Resilience Act) regulation imposes a governance and internal control framework specific to the financial sector, to guarantee operational resilience in IT matters. 

DORA sets security standards and strict rules for certain players, mainly in the financial sector, such as banks, fund managers, insurance companies, payment service providers and market infrastructures.  

These rules cover the following areas:  

  • IT risk management. 
  • Reporting of major security incidents related to technologies. 
  • Operational IT resilience testing. 
  • Third-party risk management, including direct supervision of "critical" service providers. 

Overall, the DORA regulation seeks to standardize IT risk management in the financial sector, ensuring business continuity and the efficient operation of essential services during significant IT security incidents. 

What impact will the DORA regulations have on your company? 

DORA is likely to have a major impact on financial institutions in the EU in several ways: 

  1. Increased compliance costs: institutions will have to invest more in resources and systems to meet regulatory requirements, thus increasing compliance-related expenses. 
  2. Enhanced supervision: the regulation will enable regulators to carry out more frequent and in-depth checks on the operational resilience of institutions. 
  3. Changing business practices: financial institutions will have to adjust their practices to comply with standards, including cybersecurity and continuity plans. 
  4. Emphasis on risk management: DORA emphasizes risk management, requiring financial institutions to establish a robust risk management framework, including the development and application of more stringent procedures. 
  5. Improved operational resilience: by complying with these standards, institutions will be able to better resist and respond to disruptions, thus reinforcing their overall stability. 

These changes are designed to enhance financial security and stability for institutions and their customers. 

What are the legal issues involved? 

Several legal issues are linked to this new regulation, such as liability and the need for compliance, by establishing clear obligations to strengthen the operational resilience of companies against cyber threats and technical failures. DORA provides for penalties for non-compliance with sanctions and fines, promotes collaboration and data sharing on cybersecurity between national authorities and impacts the management of personal data, requiring compliance with rules such as the RGPD. Finally, DORA may require adherence to precise technical cybersecurity standards, and regular assessments and testing are required to prepare the companies concerned for emerging threats. 

Key dates 

  • 12/27/2022: publication of the regulation in the Official Journal of the European Union. 
  • Early 2023: entry into force. 
  • 2025: obligation to apply the regulation in all 27 EU member states. 

Unlike a directive, as is the case with NIS2, a regulation must be applied as it stands, without transposition. This means that financial institutions and service providers need to plan and organize now.