{"id":1571,"date":"2025-01-20T05:59:00","date_gmt":"2025-01-20T05:59:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1571"},"modified":"2025-01-20T05:59:00","modified_gmt":"2025-01-20T05:59:00","slug":"midsize-firms-universally-behind-in-slog-toward-dora-compliance","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1571","title":{"rendered":"Midsize firms universally behind in slog toward DORA compliance"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p><a><\/a><\/p>\n<p>Beginning Friday, Jan. 17, all EU financial institutions are now required to operate in compliance with the <a href=\"https:\/\/www.csoonline.com\/article\/570091\/eus-dora-regulation-explained-new-risk-management-requirements-for-financial-firms.html\">Digital Operational Resilience Act (DORA)<\/a>. The EU directive aims to increase cybersecurity in the financial industry. However, studies show that many companies are still struggling with implementation.<\/p>\n<p>According to a November 2024 survey from metafinanz, the average level of implementation for DORA compliance at midsize financial companies was around 45%. At the time, none of the organizations surveyed expected to be fully compliant by the Jan. 17 deadline. Anticipated compliance levels for the deadline ranged from 30% to 90%, with the average company expecting to have addressed around two-thirds of the requirements by Jan. 17. <\/p>\n<h2 class=\"wp-block-heading\">The biggest challenges<\/h2>\n<p>The authors of the study attributed this in part to the late publication of the technical standards, in addition to the extensive detail of the regulations. According to the German Association of Insurers (GDV), some technical details of DORA remain unclear, in particular concerning management of third-party risks. Under DORA, financial companies must manage both internal information and communication technology (ICT) risks and risks from third-party providers and their subcontractors.<\/p>\n<p>\u201cFor contract management with service providers, the outstanding specifications for subcontracting must be finalized quickly,\u201d says J\u00f6rg Asmussen, general manager of the GVD.\u00a0<\/p>\n<p>Ron Kneffel, chairman of the board of the CISO Alliance, also confirmed to CSO that many companies have not yet completed the necessary measures to be fully DORA compliant. \u201cThe biggest hurdles continue to be renegotiating existing contracts with IT service providers and partners, as well as creating and maintaining detailed information registers,\u201d Kneffel explains.<\/p>\n<p>\u201cIn addition, integrating new regulatory requirements into existing processes is a major challenge, especially without disrupting ongoing business operations,\u201d he adds. The estimated costs for implementation will vary. \u201cThe expenses depend on the complexity of the requirements, which will be in the medium to upper range.<\/p>\n<p>Other experts have suggested that DORA could also <a href=\"https:\/\/www.csoonline.com\/article\/3804548\/eus-dora-could-further-strain-cybersecurity-skills-gap.html\">further strain the cybersecurity skills gap<\/a>.<\/p>\n<p>\u201cSmaller organizations may need to rely more heavily on external service providers for testing, monitoring, and compliance management,\u201d Julian Brownlow Davies, global vice president of advanced services at Bugcrowd, recently told CSO. \u201cWhile this can reduce the internal staffing burden, it adds recurring costs and potential risks associated with vendor reliance.\u201d<\/p>\n<p>As the insurance industry magazine Versicherungswirtschaft Heute reports, DORA can be very expensive if implementation is not halfway finished by Jan. 17. In Germany, for example, the amount of the fine depends on actions taken by financial regulator BaFin.<\/p>\n<p>Despite the challenges, Kneffel sees a glimmer of hope in the increased use of IT-supported solutions and the outsourcing of IT security services. \u201cSpecialized tools and service providers are already being used, but the possibilities of artificial intelligence are also still being evaluated. These technologies offer enormous potential to accelerate and optimize compliance processes, even if their implementation requires additional resources,\u201d he says.<\/p>\n<p>The central task of CISOs is not only to <a href=\"https:\/\/www.csoonline.com\/article\/2517884\/countdown-to-dora-how-cisos-can-prepare-for-eus-digital-operational-resilience-act.html\">meet regulatory requirements<\/a>, but also to sustainably strengthen the digital resilience of the organization, emphasizes the chairman of the CISO Alliance. \u201cThe remaining tasks must be prioritized, closely coordinated between departments and completed with a clear focus on long-term resilience,\u201d Kneffel says.<\/p>\n<p>He adds: \u201cAt the same time, we have to think beyond the deadline. The requirements should be continuously reviewed and adjusted in order to ensure the long-term safety and stability of IT security.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Beginning Friday, Jan. 17, all EU financial institutions are now required to operate in compliance with the Digital Operational Resilience Act (DORA). The EU directive aims to increase cybersecurity in the financial industry. However, studies show that many companies are still struggling with implementation. According to a November 2024 survey from metafinanz, the average level [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":1572,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1571","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1571"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1571"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1571\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1572"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1571"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1571"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}