Will DORA measures reach North American shores?

Payments analysts are debating whether the Digital Operational Resilience Act (DORA), currently in force throughout the European Union, will impact North American regulators. Designed to strengthen IT security at banks, insurance companies and investment firms, the phased-in policies will become fully effective on Jan. 17, 2025, according to the three European supervisory authorities tasked with DORA oversight: the European Banking Authority; European Securities and Markets Authority and European Insurance and Occupational Pensions Authority.

In their supervisory capacity, the EBA, ESMA and EIOPA provided guidance on DORA compliance to financial market participants, authorities and industry stakeholders, claiming these guidelines and mandatory gap assessments will help firms identify vulnerabilities and safeguard network entry points. Supporters claim that DORA brings harmonization to rules that are currently scattered across 20 different financial entities and third-party service providers.

Fadi Mantash, chief information security officer at Tribe Payments, stated that DORA is a major shift in regulatory standards due to its emphasis on building resilient frameworks that can withstand cyber operational challenges. "Its focus on risk management, incident reporting and third-party dependencies highlights the criticality of resilient systems in safeguarding financial transactions," Mantash said.

Phased-in approach

EBA, ESMA and EIOPA representatives emphasized that DORA standards are not meant to be punitive; they offer an extended onramp to help companies achieve and maintain compliance.

"As a measure to enhance the overall digital operational resilience of the EU financial sector, on 27 December 2022, the Digital Operational Resilience Act (DORA) was published in the Official Journal of the European Union1 and entered into force on 16 January 2023. DORA will apply from 17 January 2025," the authorities wrote in a joint memo dated June 19, 2023, advising that further policy details would be made public on Jan. 17, and June 17, 2024.

The supervisory authorities pointed out that DORA, a cross-sectoral regulation, applies to over 20 types of financial entities and numerous competent authorities and is designed to create harmonized legislation. They added that the more than 50 authorities involved in the policymaking include national authorities, the European Central Bank and ENISA, all of whom have collaborated on developing DORA policy products.

System overhaul

Mantash noted that DORA compliance and oversight will be no easy task for organizations and regulators, and it could require major investment in system overhauls.

"The cost of compliance is something that large payment and fintech firms can afford, but it could place intense financial burdens on smaller players," he said. "However, reducing operational risk now has the potential to pay massive dividends in the future in the form of increased client confidence and collaboration opportunities."

Mantash went on to say that with the DORA compliance deadline fast approaching, payment firms should view it as more than just a regulatory requirement, but instead as an opportunity to strengthen their digital foundations. He added that participating firms that embrace the upcoming regulatory shift with agility and innovation will harden security and be well positioned to enhance customer trust and operational efficiency.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.