DORA Mandates and Penalties: Why Ignoring Compliance Could Cost Your Business

Digital Operational Resilience Act

This article provides a concise introduction to DORA compliance, outlining the steps your business needs to take to prepare effectively and the potential consequences of neglecting this crucial regulatory requirement.

What is the Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act (DORA), officially Regulation No. 2022/2554, is a significant EU law aimed at enhancing cybersecurity for financial institutions, including banks and credit organizations. The regulation will apply from 17th January 2025 for relevant financial entities and ICT third-party service providers. Moreover, this legislation works in tandem with several other European Union regulations (such as GDPR, and NIS2) to create a comprehensive framework for cybersecurity, risk management in the financial sector, and resilience.

The Main Goal of DORA and What Businesses Should Prepare

Digital Operational Resilience Act (DORA) aims to ensure that financial entities within the European Union can withstand, respond to, and recover from operation disruptions, particularly those caused by cyber threats. It states that financial entities must no longer just defend themselves, they must resist.

DORA applies to a wide range of regulated (overall 21 types of entities, which are described in Article 2) financial entities, including banks, insurers, payment providers, crypto-asset service providers (CASPs), crypto-asset issuers, and electronic money institutions (EMIs). In addition to that, it also covers financial information managers, critical third-party providers (CCTPs), and credit rating agencies. The rules are tailored based on the entity’s risk exposure, size, and activities, with micro-enterprises benefiting from proportionate requirements in areas like ICT risk management, resilience testing, incident reporting, and oversight of critical third-party providers.

Excluded Business:

Partial entities are excluded from the scope of DORA by Article 2(3). There is a short list of the excluded ones from the scope:

• managers of alternative investment funds;

• institutions for occupational retirement provision which operate pension schemes that together do not have more than 15 members in total;

• insurance and reinsurance undertakings;

• natural or legal persons exempted under Articles 2 and 3;

• insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises The definition is given in Article 4(60) of DORA: which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed 2 million euros;

• post office giro institutions, Article 2(5), point 3;

• Member States may choose to exclude from the scope of DORA some very specific national credit or investment entity, as referred to in Article 2(5) of Directive 2013/36/EU.

Preparing for DORA Compliance: Key Steps and Potential Penalties

DORA sets out a comprehensive framework to address the digital operational resilience needs of all regulated financial organizations, while also establishing oversight protocols for critical ICT third-party service providers (CCTPs). Its core components include:

• Managing ICT-related risks;

• Reporting ICT Incidents;

• Conducting resilience testing;

• Mitigating risks associated with ICT third-party providers;

• Facilitating information sharing across entities.

Steps for Implementing DORA Compliance into Business

Many financial institutions and related entities in Europe will probably be impacted by the Digital Operational Resilience Act (DORA) in some capacity. While certain requirements may not take full effect immediately, it is strongly advised for companies to begin preparing for DORA compliance as early as possible. To ensure compliance with DORA, business can take the following steps:

• ICT Risk Management Assessment: Evaluate the cybersecurity risks related to your company’s information and communication technologies (ICT) infrastructure and operations to understand vulnerabilities.

• Incident Reporting Mechanism: Implement a clear process for reporting ICT-related incidents that aligns with DORA's requirements for timely notification.

• Resilience Testing: Conduct regular resilience tests to verify the robustness of your ICT systems against various disruptive events and ensure they meet DORA's standards.

• Third-Party Risk Assessment: Evaluate and manage risks posed by critical third-party service providers (CCTPs) who are integral to your company's ICT operations.

• Action Plan Development: Based on the risk assessments, create a detailed action plan addressing compliance needs, such as establishing an ICT continuity plan and ensuring adequate resources for compliance.

Compliance Implementation: Collaborate with compliance experts to integrate the necessary security measures, risk management processes, and operational resilience protocols into daily operations, ensuring your business is fully prepared for DORA compliance.

Cost of the Compliance Negligence

The key DORA Dates and Milestones are as follows: The Digital Operational Resilience Act (DORA) was officially published in the EU Official Journal on December 27, 2022. It will enter into force on January 16, 2023, and will be fully applicable from January 17, 2025. The European Supervisory Authorities (ESAs) have been tasked with developing the technical standards (Level 2 rules) for all financial entities under DORA. These standards are expected to be finalized and adopted by the end of 2024. Financial entities should begin preparing for DORA compliance immediately to ensure they meet the requirements once the regulation comes into full effect.

Entities found to violate DORA could face fines up to 2% of their total worldwide annual turnover, or a maximum fine of EUR 1,000,000 for individuals, whichever is higher. The severity of the violation and the entity’s cooperation with regulatory authorities will influence the fine amount. Financial institutions that fail to report major ICT-related incidents or significant cyber threats as required by DORA could face substantial fines. Furthermore, third-party ICT service providers deemed “critical” by the ESAs may incur fines up to EUR 5,000,000 or EUR 500,000 for individuals if they fail to comply with DORA’s mandates. The ESAs hold the authority to impose these fines based on the breach’s nature and scope.

How Cytopus Can Help?

• Develop and Test Incident Reporting Plans: Cytopus can help you develop robustness for reporting major ICT-related incidents, ensuring compliance with DORA.

• GAP Analysis for DORA Requirements: We will conduct a thorough assessment to pinpoint areas where your business may fall short of DORA's stringent requirements. Following, based on this analysis, we will provide practical solutions to address these gaps effectively.

• Assess Your ICT Risk Management: Cytopus will help you review your ICT infrastructure, identifying any compliance gaps with DORA's ICT risk management requirements, and ensuring that your systems meet the highest cybersecurity standards.

• Training for Employees: Provide specialized cybersecurity training for your employees to ensure they are fully aware of the DORA's implications and best practices for securing your organization's ICT infrastructure.

• Compliance Adults and Ongoing Support: Cytopus offers compliance audits to ensure your organization continues to meet DORA's evolving requirements, helping you stay compliant with DORA, as well as other regulations such as the NIS2 and the CRA.