The Digital Operational Resilience Act (DORA) is an EU regulation that aims to strengthen the IT security of financial entities (banks, insurance companies, and investment firms)and their ICT Service Providers, and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption. DORA complements existing regulations such as the GDPR and NIS2 Directive.

ICT = Information and Communication Technology. DORA = Digital Operational Resilience Act. GDPR = General Data Protection Regulation. NIS2 = Network and Information Systems Directive.

A breakdown can lead to considerable financial losses.

• Magnitude of Losses: In 2023, cyberattack incidents resulted in Americans losing approximately $12.3 billion. The average cost of a data breach reached an all-time high of $4.45 million per incident(1).
  
• Impact on Businesses: Over half of businesses globally reported financial losses of at least $300,000 due to cyberattacks, with 12% experiencing losses exceeding $1 million(2). Financial firms specifically face average losses of about $926,000 for each cybersecurity incident(3).

A cyber attack can cause lasting damage to an organisation’s reputation.

• Trust Erosion: Cyberattacks can severely damage a company’s reputation, leading to loss of customer trust and negative media coverage. For instance, the 2024 Change Healthcare data breach resulted in estimated total losses of nearly $2.9 billion, not including the reputational damage incurred(4).
•  Long-term Effects: Companies may experience sustained declines in shareholder value post-attack, with some reporting drops of up to 25% in market value within a year following a breach(5). The reputational damage can lead to ongoing challenges in customer retention and acquisition.

Non-compliance with DORA exposes companies to significant penalties.  

• Financial Penalties: Non-compliance with the Digital Operational Resilience Act (DORA) can result in fines up to 2% of a company’s total annual worldwide turnover or up to 1% of average daily turnover. Individuals could face fines up to €1 million, while critical third-party ICT service providers may incur even higher penalties, reaching up to €5 million(6).
• Regulatory Actions: Beyond financial penalties, non-compliance can lead to mandatory remedial measures, public reprimands, and potential withdrawal of operational authorizations, significantly impacting an organization’s ability to function effectively in the market(7).

Sources:
(1) www.embroker.com/blog/cyber-attack-statistics/
(2) www.statista.com/statistics/1475047/companies-worldwide-financial-loss-to-cyberattacks/
(3) www.kaspersky.fr/about/press-releases/financial-firms-hit-with-million-dollar-losses-per-cybersecurity-incident
(4) www.anapaya.net/blog/5-ways-cyberattacks-can-damage-a-companys-reputation
(5) www.aon.com/unitedkingdom/insights/reputational-damage-and-cyber-risk.jsp
(6) https://faddom.com/dora-regulation-requirements-penalties-and-compliance-checklist/
(7) www.grantthornton.ie/insights/factsheets/digital-operational-resilience-act-dora-regulation-summary/

Flow redirected through the messaging interface and SAG of Worldline.