Financial institutions have historically managed operational risk using capital allocation, but under EU Regulation 2022/2554 – also known as the Digital Operational Resilience Act (DORA) – the financial sector and associated entities in the European Economic Area (EEA) must also soon follow new rules. These new rules focus on the protection, detection, containment, and the ability to repair and recover capabilities against Information and Communication Technology (ICT) related incidents. With DORA becoming effective January 17, 2025, covered organizations only have one month left to align with its requirements.
DORA was initially adopted by the European Parliament on November 28, 2022, and targets specifically the financial entities operating within the European Economic Area (EEA). The mandate is part of a broader strategy aimed at improving the cybersecurity and operational resilience of financial institutions in the face of increasing cyber threats and digital risks.
The new regulation applies to a broad range of financial entities, including banks, insurance companies, investment firms, payment service providers as well as financial market infrastructures such as trading venues and central counterparties. It even extends to third-party providers of critical ICT services, including cloud computing, which play an essential role in the financial sector’s modern digital infrastructure.
DORA sets out requirements for ICT management, including the need for financial institutions to implement comprehensive risk management frameworks, conduct regular resilience testing, and establish incident reporting protocols. It also creates a new oversight regime for third-party ICT providers, ensuring they are subject to proper regulatory scrutiny.
Why EU enterprises need to prioritize implementing phishing-resistant MFA
While DORA does not explicitly call out multi-factor authentication (MFA), it does prescribe the implementation of policies and protocols for strong authentication as part of its broader focus on improving cybersecurity in the financial sector.
In practice, MFA is recognized as an essential component of strong digital operational resilience, significantly reducing the origination of incidents and cyber attacks. For financial entities operating under DORA, integrating MFA certainly aligns with the directive’s aim to mitigate risks related to unauthorized access and data breaches, reinforcing both customer protection and the security of critical financial infrastructure.
MFA alone will help save enterprises thousands, if not millions, of dollars arising from cyber incidents in the long run, and protect the valuable digital assets which are critical to operations. However, not all MFA is equal, and prioritizing the adoption of modern, phishing-resistant MFA tools – including hardware security keys – is the only way to ensure organizations are truly safe from stolen credentials and sophisticated attacks like phishing.
What’s the penalty for non-compliance?
Specific monetary penalties are not set out in DORA, however, there will be significant financial consequences for entities within the EEA that do not comply. European Supervisory Authorities (also referred to as Overseers) within each of the member states have the freedom to impose daily penalty payment (for up to six months) equating to 1% of the average daily worldwide turnover from the previous business year. While some sources may cite figures from specific countries and include predictions or comparisons to penalties under similar regulations, like GDPR, those are situational and subject to high variability.
In very severe or continuous cases of non-compliance, regulatory bodies may even enforce operational restrictions. This could involve halting certain business activities or services that are considered highly vulnerable to cybersecurity threats or suspending licenses if entities are found to be consistently violating DORA standards. These measures ensure that non-compliant entities cannot operate in ways that put the broader financial or digital ecosystem at risk or erode trust within EU’s financial infrastructures.
Beyond fines and operational consequences, companies that do not adhere to DORA also face significant reputational harm. Cybersecurity incidents due to weak digital resilience, coupled with the penalties for non-compliance, can undermine customer and partner trust. In a highly interconnected market, reputational damage can have a severe long-term impact on a company’s viability.
How Yubico can help your enterprise comply with DORA
Implementing DORA requirements will be an ongoing challenge. Both the depth and breadth of requirements across all facets of the mandate, such as incident reporting and third-party risk management, require continuous action and thoughtful planning. However, understanding that basic cyber hygiene and robust authentication is at the heart of all of it will not only promote a culture of strong cybersecurity, but also raise the floor on how enterprises view risk and resilience.
Yubico can support enterprises of all sizes in their ongoing journey to DORA compliance with YubiKeys – the gold-standard for hardware security keys and phishing-resistant MFA – to help protect employees, the supply chain and customers. Our highest assurance authentication will help bolster enterprise defenses against cyber attacks and incidents, freeing up resources to focus on the other pillars of DORA and, of course, core business values.
For more information and any questions on how your organization can move toward phishing-resistance and get started with YubiKeys to prepare for the upcoming January 2025 deadline today, contact our team and read our new eBook here.
