After a 2-year implementation, the Digital Operational Resilience Act will be fully enforceable starting in January 2025. Relevant regulatory authorities in each EU member state will enforce DORA’s requirements. These authorities will have the power to monitor compliance and impose penalties on financial entities that fail to meet the regulation’s standards.
Regulatory oversight
Supervisory authorities will closely monitor financial entities’ compliance with DORA’s requirements, including ICT risk management, incident reporting, resilience testing, and third-party risk management practices.
Penalties for non-compliance
Authorities can impose significant penalties on financial institutions that fail to meet DORA’s standards. These penalties can include administrative fines of up to 1% of the entity’s total annual turnover, as well as other remedial actions such as public reprimands or even the withdrawal of the entity’s authorisation to operate.
Guidance and coordination
Regulatory authorities will also provide guidance and best practices to support financial entities in complying with DORA. They will also promote coordination and consistent supervisory practices across the EU to ensure a level playing field.
Oversight of critical third parties
DORA introduces a new framework for overseeing critical ICT third-party service providers that support the financial sector. These providers will be subject to direct supervision by the ESAs to manage the risks they pose to financial entities.
By empowering regulators to closely monitor compliance and impose necessary steps to abide by DORA’s regulatory standards. meaningful penalties, DORA aims to ensure that financial institutions in the EU take the