On March 1, 2023, my report, Digital Operational Resilience Act (DORA): Take a Licking and Keep on Ticking, attracted considerable interest from financial entities within the EU and the U.S. It has been five months since the report was published. I wanted to check in to see what progress has been made, as there are only 534 days (January 17, 2025) from today for EU member states to comply.
It seems like a lot of time, but it isn’t when you consider that large IT infrastructure projects can take two or more years to complete, with many running over schedule. An operational resiliency overhaul would certainly count as an IT infrastructure project.
Shockingly, a May 2023 research report by BCI, the world’s leading institute for business continuity and resilience, reported that only 22.2% of financial institutions expect to adhere to DORA when it comes into force. Not surprising when you look at what DORA requires. The figure below shows 24 main articles of DORA that must be met and how they should be mapped to cybersecurity domains.
Complying with DORA is much more than duplicating hardware and software; it is a wholesale upgrade to critical business functions, policies, and procedures. Testing should begin at least six months before the deadline so that it collapses the compliance window. Are you feeling a little stressed out now?
Failing to comply with DORA is not an option. Financial entities that fail to comply will be fined 1% of their daily turnover for up to six months. For example, if a financial entity with US$26.8 billion in annual turnover experienced an extended outage, it could be fined US$734,000 daily for a maximum of US$134 million.
Contact me here to share your experience complying with DORA or if you want a shoulder to cry on. If you agree to be confidentially interviewed about your DORA progress, I will give you a complimentary DORA report.