Banks operating in the European Union will need to reach compliance by Friday with a major new law governing the stability of the financial system's computer systems. Among other requirements, banks will be expected to monitor the risks presented by third-party technology vendors —
The Digital Operational Resilience Act, or DORA, passed in 2023, aims to protect the European financial sector against large-scale failures that might result from cyberattacks or technical outages. While banks that do not operate in Europe are not directly subject to DORA, the regulation is expected to shape the standards of the global financial system, and perhaps eventually the standards of U.S. regulators.
The law requires financial institutions to maintain a risk management framework, report major incidents to proper authorities and maintain a resilience testing program. It also encourages institutions to
These requirements scale in proportion to the size of the enterprise in question, such that larger banks will, for example, need to conduct more advanced testing, known in the law as threat-led penetration testing, or TLPT, which is meant to emulate real-world cyber attacks.
The consequences of failing to comply with DORA are high — up to limiting or suspending business activities until an organization reaches full compliance, according to Madelein van der Hout, senior analyst on the security and risk team at Forrester.
Noncompliant organizations can incur fines of up to 2% of their global annual turnover (in other words, gross revenue), or 10 million euros, whichever is higher. Third-party IT service providers that are considered critical according to the act can be fined 1% of their daily global turnover for each day of noncompliance.
As large as the fines could be, though, DORA is about the bigger picture, according to van der Hout.
"Compliance is not just about avoiding fines — it is an investment in long-term operational resilience and trust," van der Hout said.
To an extent, none of the key elements of DORA are new to EU or U.S. banks. Third-party risks have been a focus for U.S. bank regulators for years, and incident reporting requirements have been getting steadily more stringent.
While DORA provides a variation on some of these requirements, it also aims to defragment the regulatory environment European banks currently face. This so-called regulatory harmonization is also a theme of recent U.S. efforts.
"DORA sets a single regulatory framework, incorporating all the previous guidelines issued by the European supervisory authorities as well as the European and international best practices in cyber resilience and [IT] risk management," explained Karine Pariente, a partner at PwC France, in
Another theme of the legislation that
For each regulated company, DORA makes the so-called "management body" — a term whose definition varies by member state but generally includes the board,
"The management body has ultimate responsibility for defining, approving and overseeing an organization's [IT] risk management framework," wrote Ana Hadnes Bruder and Benjamin Beck, partner and counsel, respectively, at Mayer Brown. "This means that, as a general rule, the management body's cyber responsibilities cannot be delegated to a third party."
