The European Union’s Digital Operational Resilience Act (“DORA”), a regulation aimed at enhancing the resilience of financial entities to digital disruptions, officially came into force on January 16, 2023 and will be applied from January 17, 2025. In the second episode of BDO Business Talks, Veronika Macháčková-Koch, Director of IT Audit, and Othmane Mouline, Senior Manager in ICT Security and Compliance, discuss the entities affected by DORA and provide insights on how companies can effectively navigate their compliance journey under this new legislative framework.

The objective of DORA is to harmonize and strengthen cyber-resilience within financial entities such as banks, insurance companies and investment firms, ensuring the financial sector in Europe maintains resilience during significant operational disruptions.

DORA is built on five foundational pillars: ICT risk management, ICT-related incident management, Digital operational resilience testing, Managing ICT third-party risk and Information-sharing arrangements.

“To be compliant with DORA, you must enhance your IT resilience within your company,” Veronika Macháčková-Koch explains. “This can be very complex, depending on the size and extent of your IT setup and the type of business you run.”

In fact, DORA will affect not only the IT team but the entire company, extending to management, internal audit and in some cases to external IT auditors who rely on the conclusion of internal IT audits.

As Othmane Mouline notes, “What’s new is that critical ICT third-party providers now fall within the scope of DORA, as they play a crucial role in supporting the financial market in Luxembourg.”

Non-European entities must also take note. Unlike GDPR, which is confined to the EU’s borders, DORA has broader implications. Othmane Mouline explains, “With DORA, it’s different. When you have a critical ICT third-party provider operating outside the EU and serving EU entities, they now must create their entity within the EU, and the deadline is 24 months after the implementation of DORA.”

Supporting clients on the compliance journey

BDO offers a full range of services designed to support clients at every stage of their compliance journey, from conducting initial studies and gap analyses to delivering tailored recommendations for improvement.

“We can develop ICT risk management, helping with regular penetration testing and assessing third-party providers,” Veronika Macháčková-Koch explains.

According to a recent survey by the Association des Banques et Banquiers, Luxembourg (“ABBL”), 80% of respondents, including CISOs and COOs, identified ICT third-party risk management as one of the pillars of DORA that they anticipated would pose the greatest challenge.

BDO can assist clients in their compliance journey ranging from a gap assessment to implementation support. BDO also provides training programs, helping all layers of the organization to understand their roles in maintaining compliance.

Consequences of non-compliance

Emerging technologies, such as AI, introduce new risk typologies. Non-compliance with these evolving standards can lead to severe penalties, including regulatory sanctions that could block products in the financial services sector. Veronika Macháčková-Koch was keen to emphasize that “The consequences of not being compliant with DORA will cost you more than investing in your compliance journey. The specific provision currently discussed, at least here in Luxembourg, which is very similar to GDPR regulation, is 5% of worldwide turnover, or a ceiling of €5 million, as a penalty.”

Articles Associés