DORA entered into force on Jan. 16, 2023, but the rules won’t be enforced by EU member states until Jan. 17, 2025.

The EU has prioritised these reforms because of how the financial sector is increasingly dependent on technology and tech companies to deliver vital services. This has made banks and other financial services providers more vulnerable to cyberattacks and other incidents.

“There’s a lot of focus on third-party risk management” now, Sleightholme told CNBC. “Banks use third-party service providers for important parts of their technology infrastructure.”

“Enhanced recovery time objectives is an important part of it. It really is about security around technology, with a particular focus on cybersecurity recoveries from cyber events,” he added.

Many EU digital policy reforms from the last few years tend to focus on the obligations of companies themselves to make sure their systems and frameworks are robust enough to protect against damaging events like the loss of data to hackers or unauthorized individuals and entities.

The EU’s General Data Protection Regulation, or GDPR, for example, requires companies to ensure the way they process personally identifiable information is done with consent, and that it’s handled with sufficient protections to minimize the potential of such data being exposed in a breach or leak.

DORA will focus more on banks’ digital supply chain — which represents a new, potentially less comfortable legal dynamic for financial firms.

For financial firms that fall foul of the new rules, EU authorities will have the power to levy fines of up to 2% of their annual global revenues.

Individual managers can also be held responsible for breaches. Sanctions on individuals within financial entities could come in as high a 1 million euros ($1.1 million).

For IT providers, regulators can levy fines of as high as 1% of average daily global revenues in the previous business year. Firms can also be fined every day for up to six months until they achieve compliance.

Third-party IT firms deemed “critical” by EU regulators could face fines of up to 5 million euros — or, in the case of an individual manager, a maximum of 500,000 euros.

That’s slightly less severe than a law such as GDPR, under which firms can be fined up to 10 million euros ($10.9 million), or 4% of their annual global revenues — whichever is the higher amount.

Carl Leonard, EMEA cybersecurity strategist at security software firm Proofpoint, stresses that criminal sanctions may vary from member state to member state depending on how each EU country applies the rules in their respective markets.

DORA also calls for a “principle of proportionality” when it comes to penalties in response to breaches of the legislation, Leonard added.

That means any response to legal failings would have to balance the time, effort and money firms spend on enhancing their internal processes and security technologies against how critical the service they’re offering is and what data they’re trying to protect.

Stephen McDermid, EMEA chief security officer for cybersecurity firm Okta, told CNBC that many financial services firms have prioritized using existing internal operational resilience and third-party risk programs to get into compliance with DORA and “identify any gaps they may have.”

“This is the intention of DORA, to create alignment of many existing governance programs under a single supervisory authority and harmonise them across the EU,” he added.

Fredrik Forslund vice president and general manager of international at data sanitization firm Blancco, warned that though banks and tech vendors have been making progress toward compliance with DORA, there’s still “work to be done.”

On a scale from one to 10 — with a value of one representing noncompliance and 10 representing full compliance — Forslund said, “We’re at 6 and we’re scrambling to get to 7.”

“We know that we have to be at a 10 by January,” he said, adding that “not everyone will be there by January.”