1 year away from DORA enforcement, compliance time is ticking for financial institutions and tech companies

Jan 17, 2024 | News

Vilvoorde, Mont-Saint-Guibert, Windhof – 17 January 2024 – WESTPOLE Benelux, a provider of IT services and solutions and a specialist in digital transformation, signals that complying with the Digital Operational Resilience Act (DORA) regulation by the due date could pose a challenge for many financial actors and their tech suppliers. One unique aspect of DORA is that it applies not only to financial entities (including insurance companies), but also to the ICT providers that service the financial sector. The financial sector is increasingly dependent on technology and tech companies to guarantee their services.

The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on 16 January 2023 and is to be applied and enforced by member states as of 17 January 2025, exactly one year from now. DORA represents the EU’s response to the ever-increasing number of cyberattacks against financial institutions. Confirming this trend, WESTPOLE partner IBM’s “Cost of a data breach” report 2023 states that:

  • Since 2020, the cost of a data breach has risen by 15.3%, from 3.49M EUR to 4.02M EUR.
  • Financial Services is the sector facing the second highest risk, only preceded by the healthcare sector.
  • Smaller organisations are hit harder, probably due to lesser investment in security and prevention.

Considering common threat vectors, both internal and external, the call for data privacy protection is exponentially high in the case of the financial sector. Other than the direct loss (financial damage, reputation loss, legal claims, etc.) for financial actors, attackers often have access to millions of transaction and client records. WESTPOLE states that the impact of DORA for the companies and institutions concerned is as big as the GDPR regulation.

Antonio Baptista da Silva, Compliance Officer at WESTPOLE Benelux based in Luxembourg, further explains: ‘DORA is designed to strengthen the security of EU financial firms, such as banks, insurance companies, payment and  investment firms, etc. By imposing cyber resilience requirements, financial entities should be better prepared to ensure the services they provide are not disrupted by cyberattacks, outages or other risks.’

The road to DORA compliance for financial entities great and small, could pose a challenge, just 365 days from the enforcement deadline. DORA establishes technical requirements for financial entities and ICT providers across four domains: ICT risk management, third-party risk management, incident response and reporting, resilience testing. Information sharing is also encouraged.

‘It is our experience at WESTPOLE that completing this roadmap, from the analysis to the implementation, takes on average 18 to 24 months, depending on the size of the entity and the cyber risks which are revealed by the initial analysis’, da Silva states. ‘DORA applies to financial entities and their respective ICT providers. The risk management analysis, both internally and towards ICT third party providers, is considered the most difficult aspect of this process. Entities will not be allowed to contract with ICT providers who cannot meet these requirements. With half of the implementation window already over, the clock is ticking for financial entities that have just started this transition, or are eve still to do so.’

 ‘Adopting the use of a governance and risk compliance tool is often the first step, as it ensures entities to comply with various risk management regulations and standards (DORA, NIS2, GDPR, …) in a single environment’, da Silva concludes. ‘Even if the road to compliance is still a long one for some financial entities, this kind of tool first of all proves the intention towards compliance. Secondly, it will simplify the analytic part of the compliance process and all steps following from that point on.’

For additional information or an interview, please contact Jeroen Nedergedaelt at: [email protected], +32 2 658 02 96 or +32 485 64 82 36.
You can find all the WESTPOLE press releases on our site.


About WESTPOLE Benelux

WESTPOLE Benelux, a provider of IT services and solutions and a specialist in digital transformation, has over 300 employees and five offices in Belgium and Luxembourg. The company has a turnover of around 40 M€. WESTPOLE Benelux has more than 30 years of experience in technology and innovation management. WESTPOLE Benelux is part of the Prodware Group.

WESTPOLE Benelux supports the management of infrastructure and applications for companies, by accompanying them in their digital transformation through a tailor-made global approach. The company assists its customers in their strategic challenges in areas such as cloud applications, infrastructure, and cybersecurity.

For further information: www.westpole.be