The new rules will be applied in the UK on 17 January 2025, so companies must ensure they are ready to comply.

The Digital Operational Resilience Act (DORA) has been discussed since it entered into force in January 2023. Since then, much debate has been about what the regulation involves and how it will impact the financial sector. DORA is designed to ensure that the financial sector is better prepared and resilient in the face of a cyber-attack or other IT incident. 

With cybercriminals upping their efforts all of the time, both in terms of regularity and complexity of their attacks and with the sector holding some of the most valuable data available, it is pretty clear why the European Union has pulled together DORA.
Over the past decade, multiple cyberattacks or IT incidents have targeted financial sector organisations, put them out of action for some time, and lost vast amounts of data. DORA is designed to bring consistency to the security and resilience practices across the financial sector.

Although firms have had two years to prepare for DORA's application, the scope of the task facing some has meant that there is still much work to do. The regulation also looks like it will be proactively policed, with severe consequences for directors of firms that fail to ensure cyber and data robustness.

With just months remaining until DORA is applied, what can firms in the financial sector do to ensure compliance?

1) Buy-in from staff and stakeholders

The key to any change in protocol or policies within businesses is to ensure that the employees are fully engaged and up-to-speed with what is required and to give them the ability to provide feedback on how the changes impact the department.

With staff on board, making adherence an integral part of the day-to-day business is possible. This 'industrialisation' of the compliance process means companies can ensure they adhere to regulations. Specific team members have a much better idea of their department's risks and the day-to-day impact of changes. This is preferable to an individual or team that sits outside of the department and is somewhat second-guessing where vulnerabilities might lie.

It also means that staff feel they can bring up issues that any changes are having on their specific department. This should include all staff members, no matter their seniority. Cybercriminals will always pick the route of least resistance, and this is usually employees.

By engaging with your team and explaining the threats and how to better deal with them, companies can help move towards adherence and, most importantly, keep cyber criminals out.

2)Treating compliance as an ongoing process

Adherence to regulation often requires a lot of effort, and once it is secured, there understandably tends to be slight relaxation and a 'job-done' attitude. However, regulatory compliance should not be considered a tick-box exercise but an ongoing process.

DORA, in particular, appears that it will be constantly policed, meaning that new threats have to be countered as soon as they occur. The nature of the threat facing the financial sector means it continually evolves, and companies must do the same with their adherence. By making the process part of the day-to-day business (as explained above), businesses can be more confident that they are continually reviewing and amending their processes and, therefore, more likely to adhere to regulations.
Regular process assessments and testing of policies and technology will be crucial to remaining DORA compliant.

3) Third-party security

Financial sector organisations have had to invest heavily in front-line defences in the face of an increasing threat from cybercriminals. In many cases, a large amount of software and technology protects sensitive data and keeps it out of the hands of criminals. However, with such defences in place, cybercriminals are turning to new ways of gaining access. One method we are increasingly seeing is cybercriminals gaining access via third parties with links to their primary target.
This could be any supplier, not necessarily anything linked to technology. By entering via the 'back door,' they negate any budget spent by the financial sector company on their defences.

Therefore, as part of the DORA compliance, organisations must ensure that the defences of their partners and suppliers are as rigid as their own. DORA will look at all aspects of resilience and vulnerabilities within supply chains and form part of the compliance process. Understanding security across your supply chain will be critical to DORA adherence.

4) Documenting all actions

With DORA likely to be well-policed, documenting any actions taken during the adherence process will be crucial. This is not like other regulations, where there is a one-off check. It is likely to be ongoing, with regulators' check-ins coming regularly. Therefore, ensuring a running record of the actions taken to enhance operational resilience will be necessary.

This could be records of risk assessments, incident reports, and actions taken. This will have two results. Firstly, it will demonstrate your regulatory compliance and provide an opportunity to create a comprehensive record of the organisation's cybersecurity and IT resilience efforts.

5) Bring in the experts.

DORA compliance and ongoing cyber-defence seem daunting prospects, especially in a highly regulated sector such as finance. With IT teams struggling to keep up with the day-to-day work alongside the regulatory requirements, some in the financial industry are turning to consultancies that can provide the expertise to help with adherence.

This takes the pressure off internal teams and reassures senior executives that compliance is in hand. Importantly, it also means that any cyberattack or IT incident can be quickly dealt with, keeping data safe and adherence on track.