DORA cybersecurity Compliance Impact on Fintech CSP’s: What You Need to Know

EU’s DORA (Digital Operational Resilience Act) is a pivotal EU regulation designed to address ICT (Information Communication Technology) cybersecurity risk in EU FSIs (Financial Services Institutions). Most CSPs fall into the ICT category. DORA rules were finalized in January 2024 and go into effect January 2025. This compelling article tells fintech CSPs what they need to know to prepare for DORA.

The SEC added new cybersecurity rules to its existing reporting requirements for public companies. The rules went into effect December 2023 and require public companies to report cybersecurity incidents to the SEC in a timely fashion. Firms also need to report on their cybersecurity capabilities to the SEC on an annual basis.  The rules were put into place so investors can take a firm’s cybersecurity profile into account when making investment decisions.

One year after DORA came into force, what has actually changed? In this follow-up episode of Reimagining Cyber, Rob Aragao welcomes back Dominic Brown of Graves Light Consulting to assess how the regulation is functioning in practice — now an operational reality for EU and global financial institutions. They examine DORA as systemic risk regulation rather than mere compliance, the governance and third-party risk gaps exposed in year one, escalating supervisory scrutiny, the impact of Level 2 standards and TIBER-EU testing, and why year two marks a shift from preparation to proof — where resilience must work in practice, not just on paper.

I was a guest on the Re Imagining Cyber podcast talking about DORA (EU Digital Operational Resilience ACT). DORA addresses cyber threats to the EU financial system, emphasizing risk management, incident response, and third-party oversight. In the podcast I compare DORA to US regulations and advise organizations on how to build risk management strategies to enhance cyber resilience before the 2025 deadline.
Give it a listen!