Financial services companies that are based in the European Union or that do business in the EU must be compliant with the Digital Operational Resilience Act (DORA) by January 25, 2025. They must meet all five pillars of DORA compliance: ICT risk management. ICT incident reporting. digital operational resilience testing, third-party risk management, and information sharing.
The average cost of a data breach for financial industry enterprises globally is $6.1 million in 2024, according to the IBM Cost of a Data Breach 2024 report, more than 20% higher than for all industries combined.
The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, is a key piece of European Union legislation focused on strengthening the resilience of the financial sector against digital operational risks, such as cyberattacks and other ICT-related disruptions.
DORA aims to ensure that financial institutions can withstand, respond to, and recover from all types of ICT-related disruptions and threats, including cyberattacks. By addressing digital threats in the financial sector, DORA protects the stability and integrity of the EU financial system.
If you’re wondering why you’re hearing about DORA now, it’s because financial institutions have until January 17, 2025 to comply with DORA’s regulations or face stiff penalties. Many of the required steps include thorough documentation of procedures that will be time-consuming if your organization doesn’t already have them in place, so you should start preparing now.
What are the penalties for DORA non-compliance?
Companies are subject to fines up to 2% of their annual turnover (product revenue) as well as administrative repercussions, license revocation, and brand degradation. Individuals face criminal penalties as well.
For third-party service providers found to be in violation of DORA, penalties can be up to 1% of the previous year’s average daily turnover per day for up to six months.
Milestones for DORA compliance
Did you hit these critical dates?
- July 1, 2024: The first round of dry run exercises focused on testing the incident reporting protocols and the robustness of ICT risk management frameworks.
- October 15, 2024: Financial institutions had to submit their preliminary compliance reports, which provide a detailed analysis of their current state of preparedness and highlight opportunities for improvement.
There are still critical dates ahead:
- January 1, 2025: Organizations begin their second dry runs, testing business continuity plans and assessing the effectiveness of disaster recovery mechanisms.
- January 17, 2025: Organizations must be fully compliant. There will be no grace period.
How to become compliant with DORA
Cyber incidents are rapidly becoming a matter of when, not if, for financial institutions. According to the IBM report, 75% of the increase in average breach costs in this year’s study is from lost business and post-breach response activities. Investing in post-breach response preparedness can help dramatically lower breach costs for financial enterprises and their customers.
Here are five steps Financial Services companies that use Java can take to become compliant:
- Develop and Implement an ICT Risk Management Framework. Unsupported OpenJDK distributions can expose financial institutions to significant risks, such as unpatched security vulnerabilities and performance issues. Azul is the only commercially supported OpenJDK distribution to provide stabilized, security-only patches across Java versions, operating systems and architectures to ensure that Java applications remain resilient and compliant with ICT risk management requirements.
- Establish an Incident Reporting Mechanism. OpenJDK distributions may not receive critical updates or fixes, leading to unreported and unnoticed incidents that can result in non-compliance. Azul Intelligence Cloud provides continuous monitoring of vulnerabilities and unused and dead code in production, helping organizations quickly and accurately detect, report, and remediate vulnerabilities. According to IBM, businesses took an average of 194 days to identify a data breach globally in 2024, although organizations using threat intelligence identify threats 28 days faster on average.
- Conduct Regular and Rigorous Testing of ICT Systems. Using outdated or vulnerable versions of Java may not accurately reflect production environments, leading to false security assumptions. Azul provides up-to-date, tested Java distributions including for legacy versions like Java 6 & 7 and architectures like Windows x86 32-bit, enabling reliable and accurate testing environments for financial institutions.
- Enhance Third-Party Risk Management Practices. Relying on unsupported OpenJDK distributions from third parties increases the risk of security breaches and operational failures. Azul’s fully supported builds of Java ensure that third-party Java-based applications and services meet the highest security and performance standards, reducing third-party risks.
- Facilitate Information Sharing on Cyber Threats. Unsupported Java may miss critical updates and patches, relegating those applications and services as a weak link in the information-sharing chain. By using Azul’s supported Java distributions, organizations can ensure they are aware of the latest vulnerabilities and can share relevant threat information with other entities to enhance collective cybersecurity.
Failure to earn DORA compliance can have a serious impact on your organization and the individuals responsible for your Java investments. Non-compliance includes:
- Security Risks: Unsupported distributions do not receive timely security-only updates, leaving systems vulnerable to cyberattacks and breaches.
- Compliance Issues: Lack of support can lead to non-compliance with regulatory requirements like DORA, potentially resulting in fines and reputational damage.
- Operational Instability: Unsupported distributions might not receive performance improvements or critical bug fixes, leading to system outages and degraded performance.
- Inaccurate Testing: Outdated Java environments can cause testing environments to be less accurate, leading to vulnerabilities being missed in resilience tests.
DORA is one of several pieces of legislation around the world aimed at strengthening the resilience of companies against cyberattacks, data breaches, and other incidents. Others include Cybersecurity and Infrastructure Security Agency (CISA) Directives in the U.S., UK Financial Conduct Authority (FCA) Operational Resilience Requirements in the UK, and the Monetary Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines in Singapore, among many others.
DORA is targeted at ensuring that financial institutions are better equipped to handle ICT-related risks, to protect the stability and integrity of the EU financial system.
Get your Java estate in order with Azul
The legislation focuses on ICT assets, which it defines as “a software or hardware asset in the network and information systems used by a financial entity.” Java is the programming language of choice for the Financial Services industry. According to the 2022 FINOS State of Open Source in Financial Services report, 51% of the code within the financial services data set is written in Java.
All the world’s top 10 trading companies and six of the top 10 U.S. financial firms have switched to Azul. Using a stable, supported Java platform is critical to complying with DORA. With that in mind, we present some guidance to help get you started on your road to DORA compliance.
Azul is the only OpenJDK distribution that provides quarterly updates to its customers that are focused on security-only fixes. Azul is an excellent fit for DORA’s requirements, offering updates and patches to address vulnerabilities consistently faster than any alternative distribution. Azul makes these updates available according to a strict SLA, which is critical for protecting financial systems under DORA’s stringent cybersecurity mandates.
Azul’s OpenJDK also unlocks and enables monitoring and logging capabilities, in particular via its unique Intelligence Cloud product, which is critical for DORA’s reporting and incident response requirements.
With uniquely advanced monitoring tools and detailed logging mechanisms, Java applications on Azul’s platform can provide real-time insights and comprehensive audit trails focused on detecting vulnerabilities as well as unused code, enabling financial entities to detect, report, and respond to incidents promptly.
Azul’s high-performance Java platform, Azul Platform Prime, and its flagship Platform Core, align with DORA’s continuity planning and disaster recovery emphasis. Azul’s hardened enterprise OpenJDK distribution is optimized for high performance and stability, ensuring financial applications remain operational during disruptions.
Azul’s commitment to long-term support and regular updates, including extended support for Java 6 and 7 not provided even by Oracle, uniquely helps to mitigate risks associated with third-party dependencies, meeting DORA’s high security standards.
Conclusion
Azul’s OpenJDK is the premier choice for financial institutions seeking compliance with the Digital Operational Resilience Act (DORA) in the EU.
Its comprehensive long-term support (LTS) versions ensure stability and ongoing security updates, crucial for maintaining operational resilience under regulatory scrutiny. Azul’s enhanced security features, comprehensive testing, and compatibility with modern architectures and cloud environments provide the secure and scalable Java platform demanded by DORA.
With a proven track record in performance and reliability, Azul exceeds the stringent requirements of DORA, offering financial institutions a Java solution that can navigate the complexities of digital operational resilience effectively.
For more information, read our DORA FAQs or talk to a Java application and infrastructure expert at Azul.
More About DORA
Read our FAQ about DORA compliance.
