January 17, 2025 is the implementation and effective date to comply with DORA requirements.
The Digital Operational Resilience Act (DORA) legislation was developed to enhance the resilience of financial institutions and their third-party Information and Communications Technology (ICT) providers in the face of IT interruptions, specifically cyber threats. A crucial aspect of DORA is its implementation timeline, which outlines the deadlines for compliance.
What is the Timeline for DORA?
The implementation date for DORA is January 17, 2025. In other words, this means that financial institutions and their third-party providers must be in full compliance with DORA requirements by this date. Here is the timeline from initial legislation entry to effective date.
- January 16, 2023 – Entry of DORA Regulation
- June 23, 2023 – End of the Public Consultation and Call for Advice on Criticality Criteria and Fees
- September 11, 2023 – End of Public Consultation on First Batch of Policy Products
- September 30, 2023 – Call for Advice on Criticality Criteria and Fees
- January 17, 2024 – Delivery of First Batch of Public Policy Documents
- March 4, 2024 – End of Consultation on Second Batch of Policy Products, Obtain Joint Feedback from ESAs Stakeholder Groups on Second Batch of Policy Products, Results of Public Consultation of the second Batch of DORA Policy Mandates
- July 17, 2024 – Delivery of Second Batch of Public Policy Documents
- January 17, 2025 – Effective date for application of DORA (e.g. DORA goes into effect; financial institutions and ICT will be ‘in-scope’ for DORA compliance starting on this date)
- Ongoing from Effective Date – Start of Oversight Activities for the ESAs
What is the DORA Regulation 2025?
DORA 2025 refers to the regulations and standards that financial institutions must adhere to comply with the Digital Operational Resilience Act which has an effective date of January 17, 2025. In fact, these regulations cover a wide range of topics, including:
- Risk assessment: Identifying and assessing potential cyber threats.
- Resilience testing: Regularly testing resilience capabilities to identify vulnerabilities.
- Incident response: Having robust incident response plans in place.
- Information sharing: Collaborating with other organizations to share information about cyber threats.
DORA is legislating a more proactive and continuous third-party risk management program of European financial institutions.
FortifyData’s third-party risk management program is ideal for DORA requirements. FortifyData provides visibility into the cyber risks of your third parties with continuous assessments of their external assets in conjunction with questionnaire management including a specific DORA questionnaire. We conduct real-time attack surface assessments to identify and prioritize vulnerabilities, so you and your third parties can reduce cyber risk. Furthermore, our technology assessment data is used in conjunction with auto-validated questionnaires for a 360° view of risk.
Is DORA Mandatory?
Yes, DORA is mandatory. Financial institutions and their third-party providers operating within the European Union must comply with DORA. In other words, failure to comply with DORA can result in significant penalties, including fines and reputational damage.
Regulation EU 2022/2544, also known as the Digital Operational Resilience Act, DORA, is mandatory. The purpose of the DORA requirements is to strengthen the cybersecurity and operational resilience of the European financial sector through the publication of a framework that will help the financial system ecosystem participants, namely Information and Communications Technology (ICT) providers, to reduce cyber and operational risks.
It’s a binding regulation for financial institutions and critical third-party service providers operating within the European Union. There are significant penalties for non-compliance with DORA along with potential regulatory actions.
What are the Penalties for Non-Compliance with DORA?
The penalties for non-compliance with DORA can be severe. These penalties may include:
- Administrative Fines: Financial institutions can face fines of up to 10 million euros or 5% of their total annual turnover for serious infringements.
- Periodic Penalty Payments: In cases of ongoing non-compliance, companies may be subject to daily penalties of up to 1% of average daily global turnover for a maximum of six months.
- Additional Measures: Regulatory authorities can impose other sanctions, such as public reprimands, operational restrictions, or even withdrawal of authorization.
NOTE: the penalties will depend on the nature and extent of the non-compliance. DORA targets a strong incentive to drive compliance through these penalties, including daily penalties, to ensure that financial institutions prioritize cybersecurity and operational resilience.
How FortifyData helps with DORA mandatory requirements
Operational resilience is not merely about compliance; it’s about securing the financial sector’s ability to withstand and quickly recover from ICT-related disruptions. FortifyData empowers financial service providers to achieve this goal and addresses DORA Regulatory Technical Standards (RTS) outcomes for the oversight of ICT activities and producing auditable materials for joint exams and the foundation for the TLPT component based on our continuous external vulnerability assessments. We offer a DORA Gap Analysis service complete with external attack surface assessments of your ICT vendors in addition to applicable Questionnaire with Technical Validation
By providing a detailed roadmap for compliance and resilience, FortifyData enables organizations to proactively identify and address vulnerabilities, implement robust controls, and foster a culture of continuous improvement. This not only aligns with DORA’s objectives but also strengthens the financial sector’s overall resilience against cyber threats. We can help.
The implementation date for DORA is rapidly approaching. Financial institutions and their third-party providers must take proactive steps to ensure compliance with the act’s requirements. By understanding the timeline, regulations, and potential consequences of non-compliance, organizations can effectively prepare for the challenges and opportunities presented by DORA.