The European Union has officially implemented new, stringent rules to enhance cybersecurity in the financial sector under the Digital Operational Resilience Act (DORA).
The law aims to ensure that banks and their affiliated technology companies are able to withstand cyberattacks and technical disruptions, revealing a significant gap in the readiness of many institutions to comply.
DORA came into effect on January 17, requiring financial institutions to conduct comprehensive IT risk assessments, test cybersecurity resilience, and manage relationships with external technology vendors.
Violators face fines of up to 2% of the global annual revenue of companies, with personal penalties for executives reaching up to one million euros, according to a report published by CNBC and seen by "Al Arabiya Business."
Reports show that a significant proportion of financial institutions, especially in the UK and Europe, have not yet fully complied.
Harvey Gang, an official at Cisco, noted that the lack of clear interpretation of compliance has led to significant variation in institutional readiness.
Gang said: "Some companies have exceeded the basic requirements, while others are still struggling to understand what is required of them."
Challenges to Compliance
Some of the major challenges faced by financial institutions in complying with the new rules include:
- Third-party risk management: The complexity of relationships with external technology providers makes compliance more challenging.
- Technical update costs: Investment in upgrading security systems is putting pressure on financial resources.
- Overlapping regulations: Other laws, such as "NIS 2," increase the compliance burden on institutions.
Despite these challenges, experts believe that European banks have a strong foundation due to previous regulations, such as the General Data Protection Regulation (GDPR), positioning them better to adapt to DORA.
Fabio Colombo of Accenture pointed out that "European banks have advanced capabilities in governance and IT risk management, which helps them comply more quickly."
Pressure on Technology Providers
DORA is not limited to financial institutions; it imposes penalties of up to 1% of the average global daily revenue on non-compliant technology vendors.
Brian Fox of Sonatype explained: "The penalties force vendors to take security compliance seriously and may drive some institutions to bring technical services in-house to reduce risks."