As of January 17, 2025, the European Union's Digital Operational Resilience Act (DORA) is in full effect. Financial institutions and their critical Information and Communications Technology (ICT) service providers must now comply with this regulation. DORA enhances cybersecurity across the financial sector by establishing uniform requirements for digital operational resilience. In this blog, we explore what DORA is, the potential consequences of non-compliance, and how solutions like Impossible Cloud can help financial entities achieve and maintain compliance.
The Digital Operational Resilience Act (DORA) is a regulatory framework instituted by the European Union that aims to improve the resilience of financial entities against digital and cyber threats. Originating from concerns over increasing digital dependencies and cyberattacks, the DORA regulation mandates stringent digital risk management protocols. By establishing uniform rules across the EU, the Act focuses on reducing operational disruptions and enhancing the digital resilience of financial and ICT systems involved in services.
DORA ensures that financial entities can withstand, respond to, and recover from ICT disruptions. The Act covers various elements, such as incident reporting, risk management strategies, and resilience testing, to safeguard the services on which consumers rely. It was introduced in 2023 and went into effect in early 2025.
Unlike previous guidelines, DORA is legally enforceable and extends its scope to both internal systems and external service providers, including cloud storage platforms.
Non-compliance with DORA carries substantial financial, operational, and reputational risks. Institutions found in breach may face:
The General Data Protection Regulation (GDPR) and the Digital Operational Resilience Act (DORA) are both regulatory frameworks established by the European Union, each imposing significant penalties for non-compliance. Here's a comparative overview of their respective penalty structures:
While GDPR imposes higher maximum fines, DORA introduces specific penalties for individuals and critical ICT service providers, reflecting its targeted approach to ensuring the resilience of the financial sector's digital operations.
The Digital Operational Resilience Act (DORA) has far-reaching implications for the financial sector, particularly in how institutions manage their relationships with ICT and cloud service providers. Below are key actions financial institutions should take to ensure compliance:
Cloud providers deemed critical to the financial sector's operations may be classified as CTPPs, subjecting them to direct supervision by the European Supervisory Authorities (ESAs). This designation mandates adherence to rigorous compliance requirements.
At Impossible Cloud, compliance and security are foundational elements of our service offerings.
Impossible Cloud empowers financial firms and IT service providers to meet today’s compliance standards while preparing for tomorrow’s digital demands. By choosing Impossible Cloud, you're not just opting for high-performance, S3-compatible storage; you're making a strategic move towards resilient, secure, and regulation-ready digital infrastructure.
If you require further assistance or have specific questions about DORA compliance, feel free to reach out to our team.
Source:
[1] European Commission, Implementing and delegated acts - DORA
[2] European Union, Digital operational resilience for the financial sector
[2] N2WS, DORA Regulation Explained: Requirements, Penalties, and Compliance
[3] The Guardian, GDPR fines