The new DORA regulation doesn’t hurt. Yet.

The Digital Operational Resilience Act (DORA) is set to shake up financial institutions in January 2025. DORA will mandate stringent requirements for operational resilience across institutions. While many organizations are making efforts to comply, a concerning trend is emerging: a "just about enough" mentality.

This approach, driven by a desire to minimize immediate disruption and costs, sees organizations implementing the bare minimum to technically meet the letter of the law. This "tick-box" mentality, however, may prove to be a costly mistake. The “just about enough” approach is certainly risky.

DORA is a multifaceted regulation with complex requirements. A superficial approach may leave organizations vulnerable to unforeseen gaps and compliance failures.

Focusing solely on meeting the minimum requirements also misses the bigger opportunity. True operational resilience goes beyond mere compliance. It enhances an organization's overall stability, reduces risk, and improves efficiency.

It also begs the question: what did we do last time? Let us cast our minds back to the heady days of 2018 when General Data Protection Regulation (GDPR) came into law. 

What can the DORA regulation learn from GDPR?

The experience with GDPR offers valuable lessons for organizations approaching DORA. Initially, many businesses took a cautious but ultimately limited approach to compliance, prioritizing meeting the minimum requirements.

However, the reality of GDPR enforcement, including significant fines levied on non-compliant organizations, quickly changed the landscape.

Fines are a powerful motivator. The prospect of substantial fines acted as a strong incentive for organizations to prioritize GDPR compliance. Companies that initially took a lax approach were forced to invest heavily in data protection measures to avoid costly penalties.

Data protection became a strategic priority. GDPR elevated data protection to a strategic priority for many organizations, integrating it into their overall business strategy and risk management framework.

Focus on data privacy by design and default. Organizations began to embed data protection principles into their products and services from the outset, rather than treating compliance as an afterthought. 

DORA fines are inevitable

While fines may not be the immediate focus for some, DORA carries significant penalties for non-compliance. A "just about enough" approach could leave organizations exposed to hefty fines and reputational damage.

Once DORA comes into force and fines start to be levied, we can expect a shift in organizational behaviour. The fear of financial penalties will likely drive a more proactive and robust approach to compliance.

Organizations will be incentivized to identify and address all areas of non-compliance. They’ll need to invest to implement and integrate technologies that support operational resilience, such as incident response platforms and automated testing tools. More regular reviews will refine their resilience frameworks to adapt to evolving threats and regulatory changes.

While it stems from regulation, this will make companies safer. Fundamentally, that’s the point of the regulation. To make these companies safer and more reliable to protect the people who rely on them. 

The final word

Whether DORA will follow a similar trajectory to GDPR isn’t clear yet. But one thing is certain, you will be in a better position if you take a proactive approach. Scrambling for compliance is the less desirable option than working to be prepared fully.

While the full impact of DORA enforcement remains to be seen, organizations should not underestimate the potential consequences of non-compliance. By taking a forward thinking and strategic approach to DORA readiness, organizations can not only meet the requirements, but also enhance their overall operational resilience, reduce risk, and gain a competitive advantage in the market.