The Digital Operational Resilience Act (DORA), which goes into effect on January 17, 2025, will transform how EU financial institutions approach cybersecurity and ICT risk management. As the enforcement deadline looms, organizations grapple with the complexities of compliance in a rapidly evolving threat landscape.
What is DORA in compliance?
Introduced in 2022 as part of the EU’s broader Digital Finance Package, DORA guidelines address a critical gap in current EU finance regulation. Before DORA, firms managed operational risks by allocating capital to cover losses.
DORA aims to target and enhance information and communication technology (ICT) risk management standards across the financial sector. The guidelines “impose stringent requirements on financial entities to establish robust ICT risk frameworks [and] continuous monitoring.”
DORA sets out clear policies for ICT risk management, incident reporting, resilience testing, and third-party risk management.
Key requirements under DORA include:
- Establishing and maintaining a sound, comprehensive, and well-documented ICT risk management framework
- Classifying and reporting major ICT-related incidents to competent authorities within strict timeframes
- Conducting advanced testing of ICT tools, systems, and processes based on identified risks
- Maintaining a register of information on all contractual arrangements with ICT third-party service providers
- Monitoring ICT third-party service providers, including the potential impact of ICT concentration risk
DORA is a response to growing dependence on financial services, digitization, and the associated risks posed by cyber threats, technology failures, and third-party dependencies. The regulation recognizes that operational disruptions have far-reaching consequences, impacting individual firms, market stability, and consumer trust.
DORA applies to a wide range of financial entities operating in the EU, including:
- Credit institutions
- Payment institutions and electronic money institutions
- Investment firms
- Crypto-asset service providers
- Central securities depositories
- Insurance and reinsurance undertakings
Additionally, DORA introduces an oversight framework for critical ICT third-party service providers that deliver services to financial entities located or operating in the EU.
The High Stakes of Non-Compliance
According to a recent survey by McKinsey, a staggering 94% of financial institutions are engaged in DORA’s requirements. However, the same survey revealed that as of April 2024, only a third expressed confidence in meeting the January 2025 deadline.
Under DORA, financial institutions face fines of up to 1% of their average daily worldwide turnover for the preceding business year for severe breaches. For large global banks with $50 billion in annual revenue for example, that could translate to a $500 million penalty.
Beyond financial repercussions, non-compliance exposes organizations to heightened reputational risk and business disruption. To mitigate these risks, financial institutions must prioritize DORA compliance and implement monitoring to safeguard against damage.
The Need for Continuous Monitoring
Emerging DORA regulations require that financial institutions leverage continuous monitoring to pinpoint and safeguard operational and third-party risk in our evolving landscape.
Vcheck’s continuous monitoring solution helps financial institutions comply with DORA guidelines by adverse media screening in real-time while minimizing false positives. Our solution is the first to leverage real-time web crawling, language filtering, and AI to meet client’s evolving risk mitigation needs without other tools’ noise.
Users can access monitoring through the Vcheck Portal for 24/7 insights across:
- Real-time open-source news in 14+ languages
- Global sanctions and enforcements
- Politically exposed persons (PEP)
- Criminal records and arrest data
- Sex offender registries
Vcheck monitoring streamlines information overload by consolidating duplicate alerts into a single, AI-generated summary. This summary prioritizes information from the most relevant sources in the hit to enhance accuracy and to safeguard against common names.
This targeted approach, combined with customizable alert parameters, enables firms to effectively identify and manage ICT third-party risks as required by DORA, without the noise of traditional monitoring tools.
Vcheck’s solution fills a gap in the market, empowering organizations to meet DORA’s stringent third-party risk management requirements through a comprehensive, yet streamlined, continuous monitoring process.
DORA Compliance: A Certain Future
The EU’s Digital Operational Resilience Act (DORA) presents significant challenges for financial institutions and their ICT service providers. Vcheck’s continuous monitoring solution offers a comprehensive and efficient approach to meeting DORA’s third-party risk management obligations. The platform’s ability to consolidate duplicative hits, generate concise summaries, and minimize false positives empowers organizations to make informed decisions and demonstrate compliance with DORA’s requirements.
As the January 2025 enforcement deadline approaches, partnering with Vcheck can help financial institutions navigate the complexities of DORA compliance and strengthen their overall digital operational resilience.
Contact us to learn how we can help safeguard your organization in an increasingly complex regulatory and threat environment.