With less than one year until the introduction of the EU Digital Operational Resilience Act (DORA), Jackie Hennessy, KPMG Risk Consulting Partner who leads KPMG's Technology Risk Services, looks at the scope of the Act, the risk of non-compliance and what challenges financial services companies will face in applying this new regulation. KPMG's EMA Cyber Leader Dani Michaux highlights some cyber security issues to consider.
Financial services firms across Europe are facing a significant step up in standards when it comes to their ability to continue operations in the wake of a major ICT incident or cybersecurity breach.
DORA sets out a range of new rules for financial institutions to follow regarding their protection, detection, containment, recovery and response capabilities for ICT-related incidents. It also puts in place new requirements for ICT risk management, incident reporting, resilience testing and ICT third-party risk management.
The DORA regulation comes into effect on January 17, 2025, giving firms less than 11 months to prepare for it."Over the past year, organisations have been navigating DORA, deciphering its implications, and should be well advanced in their preparations by now," says KPMG Risk Consulting Partner Jackie Hennessy.
"Most organisations are now moving from preparation to implementation, but of course, there will be some who have fallen behind on their compliance journey through lack of in-house resources with capacity and the right expertise and skill set. It is imperative that firms act now to assess how DORA would apply to their business, what organisational and technical changes would be required as a result, and the level of investment needed to ensure compliance."