Starting January 17, 2025, DORA became mandatory for all European financial entities. This includes banks, insurance companies, crypto-asset firms, and financial market infrastructures. The Digital Operational Resilience Act (DORA) strengthens resilience against digital risks. It prioritizes cybersecurity and sets requirements for IT risk management and data protection. The goal is ensuring stability and continuity of the European financial sector during major disruptions.
The regulation supports a proactive approach to managing operational risks through five key pillars:
- ICT risk management: Financial entities must implement robust processes to effectively manage ICT risks.
- Incident reporting: Entities are required to report major IT incidents to national authorities.
- Resilience testing: Financial entities must conduct resilience tests to identify vulnerabilities against cyber threats.
- Third-party provider management: DORA enforces oversight of ICT service providers to ensure they meet high security standards.
- Information sharing: The regulation encourages cooperation and information-sharing on cyber threats among financial entities.
How are financial institutions preparing for dora?
Each financial entity bears responsibility for implementing these five pillars. This requires significant preparation across multiple dimensions. Organizations must address organizational, procedural, technical, legal, and informational aspects. The transition is well underway: a recent Acuiti study shows that nearly 90% of companies are increasing their investment in third-party risk management. They aim to meet DORA requirements and other regulations.
Financial and insurance companies face a twofold challenge. They must comply with DORA’s five pillars while working closely with compliant suppliers. Companies can benefit from managed services provided by third-party ICT service providers. These providers’ expertise helps smooth the transition and optimize compliance efforts.
Is the DORA compliance timeline realistic?
The timeframe between finalizing DORA’s requirements and enforcement is tight. Financial entities have limited time to adapt. At SBS, many clients have expressed concerns over the deadline. However, these concerns require context:
- The shift toward digital resilience is a long-term process. It requires a multi-year, multi-dimensional approach. The goal is gradual integration of new requirements.
- It’s an evolving process. Legal compliance is the end goal. Yet the journey continues beyond rule-following toward full implementation.
- Adaptation should be based on operational risk analysis. Successful institutions focus on critical processes and information systems. They prioritize core banking systems that centralize value. This optimizes the cost and timing of DORA compliance.
What strategy should organizations adopt?
According to a McKinsey study, institutions plan to spend between €5 million and €15 million on DORA compliance. Almost four in ten financial entities and ICT providers dedicate more than seven full-time employees to their DORA programs. Financial institutions should be pragmatic in selecting solutions while controlling costs.
Managed service providers can accelerate the process and streamline compliance efforts. As a third-party provider of strategic solutions, SBS supports clients in navigating the regulatory landscape. SBS offers integrated core banking systems and dedicated support for managed services clients. This ensures compliance with DORA’s five pillars.
What are the key benefits of managed services?
At SBS, DORA represents an opportunity. Our solutions and services enable clients to control cyber resilience costs. SBS offers four main advantages:
1. A comprehensive information system (IS), always available and up-to-date
Cyber resilience relies on continuous updates and strict version control. SBS monitors versioning policies closely. We ensure the latest technological innovations are integrated. This includes advanced features like API portals. Network and connectivity security are enhanced for optimal performance. We ensure long-term infrastructure sustainability.
2. Regulatory compliance at controlled costs
SBS partners with Sopra Steria Group to provide leading cybersecurity services. We ensure compliance with DORA, ISO 27001, and GDPR while controlling costs. Our expertise combines cyber resilience and regulatory frameworks. We offer advanced security services like vulnerability and penetration testing. This protects sensitive data and boosts customer confidence in the digital world.
3. Total cost of ownership (TCO) optimization
SBS specializes in optimizing TCO through resource pooling. Companies can streamline security asset costs while scaling to meet growing needs. This helps businesses maximize their cybersecurity investment.
4. Strategic execution
SBS controls operational risks and eliminates technological instability. We ensure efficient execution of financial institutions’ strategies. This involves resource sharing and simplifying skill acquisition. We upgrade technical infrastructures to meet modern requirements.
SBS managed services help financial institutions achieve operational resilience. They enable secure transformation of banking operations. Organizations comply with new regulations at controlled costs. Risk management is optimized, freeing teams to focus on strategic priorities.
How does DORA transform the financial sector?
DORA regulations are based on the goal of achieving sustainable operational resilience. This transition goes hand-in-hand with the search for more flexible models, such as managed services, representing a shift toward solutions better suited to the needs of businesses that must optimize both risk management and operational efficiency. In this context, DORA is more than just a regulatory requirement; it is a proactive opportunity for transformation, pushing financial entities to modernize their systems, move beyond standardized models, reduce long-term costs, and enhance their competitiveness.
For more expert content on industry outlooks and innovation, subscribe to our newsletter or visit our Insights page.
Frequently Asked Questions
When did DORA become mandatory? + –
DORA became mandatory on January 17, 2025, for all European financial entities including banks, insurance companies, and crypto-asset firms.
What are the five pillars of DORA? + –
The five pillars are: ICT risk management, incident reporting, resilience testing, third-party provider management, and information sharing among financial entities.
How much are institutions spending on DORA compliance? + –
According to a McKinsey study, institutions plan to spend between €5 million and €15 million on DORA compliance. Additionally, many organizations dedicate significant internal resources, with some assigning more than seven full-time employees to their DORA programs.
Is DORA only about compliance? + –
No, DORA represents an opportunity for transformation. It pushes financial entities to modernize systems, improve risk management, and enhance competitiveness while ensuring operational resilience.