New European Union regulations mandating banks to strengthen their cybersecurity measures officially took effect on Friday, but many financial service providers in the bloc are still not fully compliant.
The Digital Operational Resilience Act (DORA) requires financial institutions and their technology suppliers to bolster their IT systems to ensure resilience against cyberattacks and disruptions. Non-compliance can result in fines of up to 2% of annual global revenue, with individual executives facing penalties of up to 1 million euros (about NZ$1.8 million).
Harvey Jang, chief privacy officer at Cisco, noted that compliance rates vary significantly among firms. “I think we’ve seen a mixed bag,” he stated.
He also emphasised the complexity of creating compliance programs, which can lead to differing interpretations of what compliance entails.
Under DORA, financial firms must implement rigorous IT risk management, incident reporting, operational resilience testing, and third-party risk management. A survey by Orange Cyberdefense found that 43% of U.K. financial institutions are not yet fully compliant, which raises concerns since DORA applies to all entities operating within EU jurisdictions.
Richard Lindsay from Orange Cyberdefense highlighted the challenges of managing critical third-party IT providers in a complex digital ecosystem. He added that ensuring compliance across all parts of this system will require new strategies and resources. Despite these challenges, experts believe banks will achieve compliance soon.
IT providers also face penalties under DORA, with potential fines of up to 1% of average daily global revenue.
Looking ahead, Lindsay warned that financial institutions might consider moving critical security functions in-house as technology continues to advance. Additionally, organisations will need to deal with other cybersecurity regulations like the Network and Information Security Directive 2 (NIS 2), which took effect in October.
“As with any new regulation, there will certainly be a transitionary period as organisations adjust to new requirements. This is the start of a long journey toward improving software security and resilience.”