DORA: Are you prepared for the new financial resilience regulations?

Charlotte White Cloudpay General Counsel circleCharlotte White
CloudPay General Counsel
Oct 17, 2024
7 min read

Key takeaways

Frame 1438DORA compliance for financial operational resilience will be enforced in January 2025
Frame 1569Clear road-mapping for security and risk management is critical
Frame 1438 1Ongoing monitoring can support agility in an evolving risk landscape
CP241014 BLOG DORA Are you prepared for the financial resilience regulations Banner

DORA: Are you prepared for the new financial resilience regulations?

Charlotte White Cloudpay General Counsel circleCharlotte White – CloudPay General Counsel
BLOG DORA Are you prepared for the financial resilience regulations Banner
Oct 17, 2024
7 min read

Key takeaways

Frame 1438DORA compliance for financial operational resilience will be enforced in January 2025
Frame 1569Clear road-mapping for security and risk management is critical
Frame 1438 1Ongoing monitoring can support agility in an evolving risk landscape

Our recent Paymakers event in Athens, Greece brought together payroll practitioners from all over the world, and it was fascinating to discuss the key priorities and concerns that are shaping payroll in 2024 and beyond.

One of the hot topics of conversation was the Digital Operational Resilience Act (DORA), including how we at CloudPay can support the operational resilience of our partners, and help them on their compliance journeys. Many payroll operations are up-to-speed on what they need to do around the EU regulation, while others are still looking for guidance. Here, we cover the key points and how you can ensure you’re on the right side of the new regulation.

What is the DORA European regulation?

DORA was passed as European Union law in January 2023 and comes into force on January 17, 2025. The regulatory framework has been created to strengthen IT security and resilience across the financial sector, applying to banks, insurance companies, investment firms, financial institutions and even organizations involved with crypto assets. However, it also applies to a range of IT-based third-party service providers who provide support to such organisations.

The act includes specific regulatory requirements in six different areas:

  1. ICT (information and communications technology) risk management
  2. ICT third-party risk management
  3. Digital operational resilience testing
  4. ICT-related incidents and reporting
  5. Information sharing
  6. Oversight of critical third-party providers

The end goal is for all organisations involved to be able to withstand a broad range of cyber threats and operational disruptions and respond to them and recover from them as quickly and efficiently as possible, safeguarding financial stability and protecting consumers.

Additionally, DORA aims to create a harmonized framework for operational resilience, reducing regulatory fragmentation and ensuring constancy in handling ICT-related risks.

Why does DORA matter? 

DORA was such a hot topic of conversation at Paymakers because it’s clear that cybersecurity for financial services is coming under greater regulatory focus. This is a positive step, as it ensures that financial and operational risks are identified, addressed and managed more effectively, for the benefit of organizations and their customers alike. However, it does place more pressure on organizations to ensure that they’re compliant with the new regulations, which will be applied and enforced by the authorities of each member state.

At a practical level, most organizations that come under DORA regulations will have to assess and potentially address four key areas:

  1. Internal risk management: embedding operational resilience into strategy and governance for the long term
  2. Third-party risk management: monitoring critical ICT providers, including due diligence and contractual demands
  3. ICT system investment: strengthening systems, building expertise, upgrading security controls and boosting incident response functions
  4. Cyber awareness: fostering a culture of security awareness through training, cyberattack education and best practice

How can you prepare for DORA?

DORA comes into force very soon, and it was clear from the conversations at Paymakers that now is the time to address operational resilience, if action hasn’t been taken already. Organizations can follow a comprehensive four-step journey to help in that assessment:

  1. Assessment and management: establishing the current level of operational resilience through a risk assessment, including the scale, complexity and importance of third-party ICT service providers
  2. Roadmapping: identify areas for improvement through a DORA compliance roadmap, and establish a robust incident response plan to mitigate attacks and disruptions
  3. Third-party monitoring: improve documentation, contracts and connections so that third-party vulnerabilities and cyber risks are proactively addressed
  4. Review and adaptation: constantly reassessing and optimizing the operational resilience strategy and incident management through regular audits and checks, so that it can adjust to the evolving threat landscape

The good news, however, is that getting this journey right can prove to be beneficial for an organization in the financial services sector, through improved risk management, enhanced protection for customers, greater financial stability, and a more level playing field enabling innovation and competition. 

Why your third-party payroll provider needs to be prepared for DORA

DORA extends to third parties that provide IT-related services to financial organizations. It has set out specific regulations for providers deemed ‘critical’ and ‘non-critical’:

Critical providers will be subject to direct oversight by regulators, including inspections and off-site monitoring to ensure compliance.

Non-critical providers will still be subject to the general principles of DORA and will be expected to maintain the appropriate security standards and risk management measures.

As an example, CloudPay is considered a ‘non-critical’ third-party provider. However, we have taken our own measures to ensure we are meeting what is required, across ICT and third-party risk management, business continuity, disaster recovery, information security and incident response. These not only allow us to commit to the requirements of DORA, but also help us support our clients on their compliance journey by providing reassurance that in our role as one of their key suppliers we have put in place the necessary measures.

In summary: staying ahead of the curve

Our proactive approach to DORA compliance reflects the concerns and demands that many Paymakers attendees expressed, including the need for ongoing monitoring, regular testing and industry collaboration on best practice. CloudPay is actively working on various measures right now to bolster the CloudPay platform’s existing compliance features to ensure we can continue to provide the reassurance that you need. Our work includes:

  • Ongoing Monitoring: we continuously monitor our ICT systems and processes to identify and address potential vulnerabilities
  • Regular Testing: we’re conducting regular resilience testing, such as penetration testing, vulnerability assessments, and disaster recovery drills
  • Industry Collaboration: we’re actively participating in industry forums and initiatives to share best practices and stay informed about emerging threats

Find out more about CloudPay’s compliance services or get in touch to discover how our payroll services could help you.

Need a roadmap for mastering the intricacies of international payroll management? Read our report on Avoiding Global Compliance Traps.

Scroll to Top