The Digital Operational Resilience Act (DORA) marks a transformative milestone for the financial services sector. Its implementation date of 17 January 2025 marks more than just a compliance deadline; it commencers a new era of operational resilience and regulatory harmonisation.
As financial institutions increasingly rely on digital solutions to drive innovation and efficiency, they also face heightened exposure to cyber risks and technical failures. DORA aims to mitigate these risks by harmonising security rules across the EU, aligning with existing regulations such as GDPR and the NIS2 Directive. It addresses the evolving threat landscape with a forward-looking approach, emphasising proactive resilience over reactive compliance.
Challenges Across Market Segments
For Major Banks and Investment Firms
Large financial institutions must have navigated the complexities of legacy IT systems, which are often an amalgamation of technologies accumulated over decades. These systems can be difficult to modernise and are more susceptible to vulnerabilities, creating unique challenges in implementing DORA’s stringent requirements.
For Smaller Entities
Smaller organisations, such as hedge funds and asset managers, had to face their own set of challenges. With more limited budgets and less experience in regulatory compliance, many of these firms are encountering rigorous resilience mandates for the first time. For them, DORA represents a steep learning curve and an opportunity to build resilience frameworks from the ground up.
The Role of Custodia in Supporting DORA Compliance
At Custodia, we’ve been working closely with our clients to prepare for DORA, particularly in renegotiating contracts to meet the regulation’s requirements. One of the most critical obligations is maintaining an up-to-date register of all ICT service agreements, ensuring transparency and readiness in managing potential risks.
According to the ENISA Threat Landscape Report, data compromises increased significantly in 2023-2024, with financial institutions being prime targets for attackers. Cybercriminals aim to exploit vulnerabilities to gain access to sensitive data for financial or strategic gain. In this environment, resilience is no longer optional—it is a necessity.
DORA reinforces this reality by requiring institutions to assume breaches are inevitable and to establish robust measures to withstand, mitigate, and recover from them. This includes:
- Implementing backup policies and recovery methods.
- Developing frameworks to identify and analyse vulnerabilities.
- Ensuring staff and senior management undergo compulsory digital resilience training.
- Establishing crisis communication plans and monitoring the effectiveness of resilience strategies.
A Global Ripple Effect
While DORA is an EU regulation, its impact extends far beyond European borders. Financial entities in the U.S., Asia, and other regions providing services in Europe must align with DORA standards. This underscores the growing interconnectedness of global financial markets and the universal nature of cyber risks. As other regulators introduce similar measures, resilience is becoming a cornerstone of financial operations worldwide.
Looking Ahead
DORA’s implementation is just the beginning. Compliance is not a static goal but an ongoing process that demands vigilance, adaptability, and continuous improvement. Financial institutions that embrace this mindset will not only meet regulatory requirements but also position themselves as leaders in operational resilience.
At Custodia, we understand the unique challenges and opportunities DORA presents for our clients. As a trusted ICT cloud service provider, we are here to help you navigate these changes, ensuring your systems are resilient, compliant, and future-ready.
Reach out to us today to learn how we can support your journey towards digital operational resilience. The future is resilient – and it starts now.