Navigating DORA: Could This Be the Turning Point for Digital Resilience in Financial Services and IT in Europe?

Regulations
Written By Contextual Solutions

As a result of the digital age, there isn’t a single industry that hasn’t leveraged technology in some capacity to get closer to its goals, with 90% of all SMBs currently making use of digital communications tools for success in their niches.

The financial sector has undoubtedly transformed due to the use of technology. The sector has enhanced day-to-day transactions, critical data management, and automation of monotonous financial tasks by leveraging technologies such as Blockchain, data analysis, and AI to facilitate developments such as Internet banking, mobile payments, and cryptocurrencies.

However, these enhancements have introduced scope for several risks. In a recent paper from Harvard Kennedy, Senior Fellow Jo Ann Barefoot categorized these risks into various categories, including loss of privacy, risk of fraud and scams, compromised data security, and more.

These risks have resulted in multiple famous data breaches such as the First American Financial Corp Data Breach (885 million financial and personal records exposed), the Equifax Data Breach (impacted 147 million customers), and many other Ransomware, supply chain attacks, and phishing campaigns.

These potential risks and incidents have increased the need for regulation, and this is where initiatives such as the Digital Operational Resilience Act (“DORA”) come in.

The Digital Operational Resilience Act (DORA) logo. It features a blue background with the acronym "DORA" in yellow letters in the center, surrounded by twelve yellow stars arranged in a circle.

What is DORA?

The Digital Operational Resilience Act (DORA) is a regulatory act that was created to help financial service institutions be protected against various IT-related risks.

The EU’s aim with this act is to increase the digital resilience of finance companies so they can not only withstand but mitigate risks and respond to any ICT-related incidents to continue delivering crucial services to their customers.

This will also create a standardized way of managing risks across the EU, so there are no security concerns when dealing with inter-country collaborations.

The law was initially enacted on 16 January 2023, and the obligation of financial institutions to comply with the new regulations will begin on 17th January 2025.

This will not only apply to financial institutions themselves but will apply to vendors who provide outsourced ICT services to these firms.

Outsourcing IT-related services is popular within the finance industry, with 72% of organizations in the financial sector outsourcing services such as app development.

These service providers will most likely provide essential pieces of technology, such as cloud computing solutions and data storage solutions, so their resilience will directly impact these organizations. This also helps the harmonization aspect of the act, as consumers are now aware that all parties involved are compliant, which gives stability to the financial ecosystem.

There are five core pillars that DORA covers to ensure a wholesome and comprehensive digital resilience strategy, including:

  • ICT Risk Management and Governance

  • Information Sharing

  • ICT-Related Incident Reporting

  • ICT Third-Party Risk

  • Digital Operational Resilience Testing

Let’s take a closer look at each of these five pillars.

ICT Risk Management and Governance

This is where financial institutions must have a robust framework to identify, assess the impact of, manage, and mitigate any ICT risks. These include internal and external risks, and executives are expected to have a well-executed risk management strategy.

Once risks are assessed and identified, policies and control measures will need to be put in place to facilitate the necessary protection from these risks.

To create the necessary mitigation strategies, companies need to analyze the impact of each risk and how it will affect their business and use this information to inform the architectural design of ICT systems.

That being said, nothing is bullet-proof, and in the instance that an incident does occur, there will need to be a sufficient disaster recovery plan in place. These are more for cybersecurity-related incidents such as natural disasters or system failures, where your risk management strategy would include the necessary backup procedures to ensure key data doesn’t go permanently missing.

ICT-Related Incident Reporting

Despite the efforts to improve the security infrastructure for financial service firms, as mentioned above, no strategy is bulletproof.

As mentioned in a keynote speech from the Annual Assembly of the Spanish Banking Association, the share of banks having been victims of up to ten successful cyberattacks increased rapidly since the first half of 2022, so it’s important to be aware that anything can happen.

Reporting incidents will further enhance your risk management strategy as you know how to protect yourself from incoming incidents, as well as get to the bottom of any leaks in your current digital resilience strategy quicker.

DORA will require firms to implement a diligent strategy of managing and reporting ICT-Related incidents. Entities must adhere to specific timelines for reporting these incidents, creating a sense of clarity for users, clients, and authorities regarding when they’ll get more information about critical incidents.

Digital Operational Resilience Testing

Financial institutions must evaluate the effectiveness of their resilience strategies without relying on actual incidents. To meet DORA requirements, they’ll need to conduct various tests to assess their ability to withstand disruptions, identify weaknesses, and implement safeguards. These tests include:

  • Vulnerability Assessments: Identifying and classifying risks in corporate information systems, such as ERP, CRM, and HR management systems.

  • Wireless Assessment: Evaluating the vulnerabilities in internal and guest Wi-Fi networks customers use.

  • Source Code Analysis: Scanning and debugging source code annually to uncover and resolve issues that stem from fundamental security flaws in how your systems have been developed.

  • Penetration Test: Penetration test is a common form of software QA and involves simulating real attacks on your current systems and infrastructure to exploit security weaknesses that can be caused by users.

  • Threat-based Penetration Testing (TLPT): TLPT is conducted every three years; this test covers the entire organization, whereas normal penetration might only cover a particular subset, with scope depending on the size, activity, and risk profile of the entities involved.

ICT Third-Party Risk

With 62% of all data breaches happening via third-party vendors, the digital resilience of third-party ICT service providers that financial entities rely on can have a direct impact on an organization.

That’s why DORA emphasizes the need to manage the risks associated with working with third parties and has regulations in place to make sure that inter-company collaborations don’t cause ICT-related incidents. These include:

  • Strict contracting requirements with third parties with mandatory clauses, as well as the detailing of security measures and contingency plans.

  • The need to start and maintain a register of all contractual arrangements with ICT Third parties, which will help financial entities monitor the risks associated with third parties.

  • Carrying out the necessary due diligence before onboarding and documenting all outsourced activities, including all vendors you’re working with.

  • Subjecting critical ICT service providers to a Union Oversight Framework. The ESAs overseeing these providers will be responsible for enforcing the regulations and preventing contractual proceedings with firms and providers that aren’t compliant.

Information Sharing

With 74% of data breaches coming from human error, how financial institutions collaborate and share information with third parties plays a fundamental role in preventing data-related cyber-attacks.

This is why DORA has regulations that dictate the best practices on how intelligence regarding cyber threads is exchanged to enhance resilience.

Financial institutions will need to make sure that they have the correct information-sharing arrangements in place in a way that takes place within a trusted community of financial entities and protects the nature of the information being shared.

Financial entities will need to notify the relevant authorities of their participation in any information-sharing arrangements.

How will these regulations benefit financial institutions?

According to the IBM Cost of a Data Breach report for 2024, the financial services industry was the second most affected by data breaches, with companies spending $6.8 million a year to address them. This highlights the critical need for tighter regulations.

Historically, the absence of such measures has led to major incidents, from data breaches to fraud, as seen in the infamous Wirecard case.

While enhancing cybersecurity infrastructure is the most immediate benefit of DORA, its impact extends further. Enforcing these regulations across the EU will facilitate international collaboration, driving innovation and trust between entities.

By harmonizing compliance requirements, DORA eliminates the complexity of navigating varying national laws, easing the process of cross-border partnerships.

Though initial compliance may require investment, it offers long-term cost savings by reducing risks associated with data breaches and other types of ICT incidents.

With 80% of consumers now preferring a fully digital banking experience, DORA ensures a financial ecosystem with a reputation for robust security, increasing customer loyalty by keeping their capital and banking needs in safe hands.

DORA also enhances operational resilience. Compliant organizations will benefit from improved incident response and recovery strategies, ensuring smoother operations, minimal disruption, and better overall performance.

Implications and challenges

Although DORA offers clear strategic benefits for financial firms, the regulations aren’t designed to be a one-off checklist and will require a fundamental operational shift, starting at the senior leadership level.

Entities must allocate resources to compliance-focused activities, including investing in cybersecurity solutions, data management systems, and incident response tools.

Additionally, they’ll need to establish a robust risk management framework involving risk assessments, policy updates, and regular audits, potentially with authorities, to address weaknesses in their operational resilience strategies.

The regulations also impact relationships with third-party vendors, requiring extra due diligence, monitoring, risk management, and contractual compliance. This can take up more resources, disrupt existing partnerships, and lead to operational delays, particularly for entities with multiple vendors, where constant oversight and monitoring adds extra complexity.

Non-compliance carries significant penalties, including fines of up to 2% of annual worldwide turnover or 1% of average daily turnover. Critical ICT providers face daily fines of up to €5,000,000 or 1% of annual turnover until compliance is achieved.

Summary - Will these regulations hold back innovation or enhance it?

Although it has its challenges, the DORA regulations are designed to facilitate a safe environment where financial service companies can operate. With the right security infrastructure in place, this gives more reason to innovate and invest in modern technologies such as AI, as they’ll now be confident in their ability to prevent and respond to potential incidents associated with adopting new technology.

As the number of risks has increased in the financial services sector, these regulations will help entities mitigate them and thrive, as seen with the UK's New Strategic Fintech Plan, which involved a regulatory framework for future digital financial services and has helped them become a leader in the finance space.

Moving forward, January 2025 is where the implementation of the act and oversight activities will begin.

Access the complete Digital Operational Resilience Act (DORA) text via this link. You can learn more about the implementation schedule via the European regulator’s websites and German market-related requirements using the German regulator BaFin’s dedicated landing page, which is continuously updated (in German).

Are you an ICT Service Provider looking to expand into the EU financial sector, hoping to understand compliance requirements on the way, or are you unsure of the critical compliance topics to address? Rest assured that compliance is vital to the European Go-to-Market (GTM) projects and even “make or break” your brand and positioning in the EU.

Book a free 30-minute consultation call now to let our experts navigate your positioning, GTM, and compliance requirements hassle-free and time-efficiently. Our team of compliance, branding, marketing, and GTM experts will guide you through the complex expansion topics and help position you at the forefront of the EU Fintech and BankTech ecosystems.

Contextual Solutions
Previous

The Future of AI in Business Management: The Spanish AI Perspective
Next

Contextual Solutions: 2024 Wrap-up and 2025 Plans