This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo

Financial institutions unprepared for DORA deadline

News
Share:
Financial institutions unprepared for DORA deadline

By

Many financial institutions face challenges meeting DORA’s operational resilience and ICT risk management requirements

With the implementation deadline for the Digital Operational Resilience Act (DORA) fast approaching, many financial institutions remain unprepared for its extensive operational resilience and ICT risk management requirements.

DORA, introduced to bolster the financial sector's resilience to digital and operational risks, imposes over 500 requirements and extends its scope to a wide range of third-party providers, including those outside traditional IT services. While the framework promises long-term benefits, including improved risk management and operational security, many organisations, especially smaller firms, are struggling to comply due to resource constraints and the complexity of the regulations.

Tim Wright, partner and technology lawyer at Fladgate, highlighted the challenges firms are facing. “Smaller firms in particular face greater challenges due to resource constraints and the complexity of DORA's 500-plus requirements, as well as having to deal with a wide range of third-party service providers,” he said. He noted that some firms have adopted a “one-size-fits-all” approach, which can lead to inefficiencies and excessive compliance efforts.

Wright also addressed the potential repercussions for non-compliance. “In terms of potential punitive measures for non-compliance, it’s the usual EU approach of less carrot, more stick, with the risk of mega fines for the worst cases. On top of that, periodic penalty payments of up to 1% of average daily worldwide turnover can be imposed for continued non-compliance,” he explained.

Authorities are expected to take a targeted enforcement approach, prioritising significant breaches. Firms unable to meet full compliance by the deadline are advised to demonstrate good faith efforts and maintain open communication with regulators to mitigate potential penalties.

Despite the immediate challenges, DORA is expected to create a more resilient financial sector, reduce operational risks, and generate opportunities for cybersecurity professionals with expertise in financial regulations. However, the immediate focus remains on helping firms achieve compliance to avoid severe penalties and ensure a smooth transition into the DORA framework.