The EU's DORA act came into force on January 17, 2024 and non-compliant financial services providers are facing regulatory pressure and potential fines. Discover how SAP LeanIX can enable an accelerated DORA transformation to ensure your firm is compliant.
The European Union's Digital Operational Resilience Act (DORA) is now enforceable. This leaves non-compliant financial institutions in a race against time to complete a DORA compliance transformation before regulators catch up with them.
DORA isn't just a reporting mandate, however, and will likely require a complete overhaul of your IT operations to meet modern cyber resilience standards. This is a huge task, so it's no wonder that many organizations in the financial services market still haven't begun to prepare for DORA.
SAP LeanIX unlocks DORA transformation by mapping your entire IT landscape so that you can immediately surface points of non-compliance. Our solution will also allow you to rapidly road map a path to change and understand all the impacts of that change on your landscape.
Let's explore what DORA is, the risks it poses, and how SAP LeanIX can help.
DORA is now in force and financial services providers need to get compliant fast. Find out more about DORA and how SAP LeanIX can accelerate your DORA transformation by downloading our free white paper:
WHAT IS: Digital Operational Resilience Act – DORA
What Is DORA?
The European Union's Digital Operational Resilience Act (DORA) was drafted just after the COVID-19 lockdowns. For the first time, Europeans were self-isolated at home and entirely reliant on the internet to acquire goods and services, including banking and finance.
This exposed the vulnerability of current digital financial systems to both failure to meet expectations in a remote setting, and also to exploitation by cyber criminals. The EU immediately began drafting legislation to ensure financial services providers operating within Europe offer resilient digital services.
The resulting DORA act was passed into law on January 16, 2023, and European financial institutions were given two years to bring their IT landscapes in line with the DORA standard. That 24-month grace period expired on January 17, 2025, and organizations will now be held accountable for their digital resilience.
DORA prescribes specific standards for the IT operations of any organization offering financial services in the EU territory, including:
- IT risk management and governance
- Incident response and reporting
- Digital operational resilience testing
- Third-party risk management
The last category is perhaps the most daunting, as organizations are now not only responsible for their own IT landscapes, but the operations of outside companies. This customer-focused legislation is, therefore, putting tremendous pressure on financial services providers.
Speaking to organizations in the sector, however, we're finding that many haven't even started to assess whether their operations are DORA compliant yet. We're hearing from many in the industry that they simply don't know where to start with a mammoth DORA transformation.
Without help, these organizations are facing consequences from the regulators. This could range from fines to a loss of their competitive advantage.
The Consequences Of Ignoring DORA
The European Union's Digital Operational Resilience Act (DORA) offers some harsh penalties for non-compliance. However, the long-term consequences of ignoring DORA could be far more dangerous.
Under the act, financial services providers operating in the EU will be fined 1% of their average daily worldwide turnover for each day of non-compliance. This could be a catastrophic loss of earnings for companies over an extended period if a DORA transformation isn't completed promptly.
This could discourage global financial institutions from operating within Europe for risk of losing 1% of their revenue to European regulators. Yet, staying out of Europe will deny them access to seven of the world's top 20 financial hubs.
Even if you don't yet wish to operate in Europe, DORA compliance unlocks the possibility of doing so later. Not to mention, if successful, global regulation standards could well fall in line with DORA later on.
Furthermore, in the long term, an organization lagging behind achieving DORA compliance, within Europe or outside, could lose their competitive edge in the market. If other financial services providers can offer DORA-compliant cyber resilience with no down time or losses to cyber theft, customers may begin to switch away from your service.
However you look at it, becoming compliant with DORA is beneficial, despite the challenges. Yet, as we noted above, many financial institutions feel unable to do so as they simply don't have enough oversight of their IT landscape to know where they're compliant and where they are not.
What Financial Services Providers Need To Do
The European Union's Digital Operational Resilience Act (DORA) is putting tremendous pressure on financial services providers to make their IT landscapes future proof. The question for IT teams in the industry, however, is where to start?
Before you can begin a DORA transformation, you need to know what the DORA standards are and what the current state of your IT landscape is. You need a data repository to act as a single source of truth on the official DORA standards and how your own landscape compares to them.
Once you've analyzed that data, you'll know exactly what you need to change in your IT landscape in order to achieve compliance. You'll then need a road map for your transformation, which is best kept in the same repository as your data.
Finally, you need to monitor your live transformation in order to ensure business continuity and that you're actually achieving your goals. This is all eased with guidance and support from experts in both the financial services industry in Europe and the DORA standards.
To enable this in your organization, we've partnered with both SAP Signavio and Deloitte in order to create a DORA Foundation Model and Integration Approach. Leveraging SAP LeanIX and Signavio solutions, and Deloitte's expert guidance, you can achieve DORA compliance rapidly and avoid harsh fines.
Leveraging SAP, LeanIX, And Deloitte For DORA
The European Union's Digital Operational Resilience Act (DORA) could rapidly become a crisis for European financial services providers. To prevent this, we've partnered with SAP Signavio and Deloitte to ensure financial institutions are able to rapidly meet the demands of DORA.
Begin by using SAP LeanIX to inventory your IT landscape, including your software applications and IT components, automatically discovering what in your estate is best-of-breed and what needs to be replaced. Then, map out your business processes in SAP Signavio, linking this information to your IT landscape in SAP LeanIX to understand what processes are supported by what technology.
Next, apply the DORA Foundation Model that we developed with Deloitte in order to see what parts of your landscape are compliant with DORA. You can then create a road map for DORA transformation directly within the platform.
Lastly, you can recruit Deloitte's experts to provide guidance and advice on your transformation, ensuring it goes smoothly. Meanwhile, you can view your results against your key performance indicators (KPIs) within SAP LeanIX and Signavio.
Leveraging our toolset and Deloitte's expertise, you can rapidly respond to the demands of DORA and ensure your technology is supporting your competitive edge in the market. Start your DORA transformation today.
DORA is now in force and financial services providers need to get compliant fast. Find out more about DORA and how SAP LeanIX can accelerate your DORA transformation by downloading our free white paper:
