DORA: How EU’s New IT Rules Will Effect Finance Institutions

Share
The coming regulatory landscape signals a shift towards enhanced accountability and systemic risk management
The EU's Digital Operational Resilience Act (DORA) requires financial institutions and technology providers to meet stringent standards from 2025

In January 2025, the EU’s Digital Operational Resilience Act (DORA) will take effect, bringing transformative changes to how financial institutions manage their digital infrastructure.

Designed to safeguard the financial sector from digital disruptions, DORA sets out stringent obligations for EU-based firms and their global technology providers.

This is part of a raft of EU legislations to strengthen, and harmonise, their cyber posture.

As a result, the regulation’s broad scope includes not only banks and insurers but also the technology companies underpinning modern financial systems, such as cloud computing providers, data centres, and software vendors.

Examining the scope and impact

The introduction of DORA comes at a time of heightened vulnerability in the financial sector.

As digital dependencies grow, so do the risks. High-profile incidents, such as a global IT outage experienced by cybersecurity provider CrowdStrike in July 2024, have underscored the potential for cascading disruptions.

Against this backdrop, DORA aims to bolster the sector’s resilience by addressing systemic risks tied to critical third-party service providers.

“DORA is a regulatory framework designed to strengthen the resilience of the financial sector against digital disruptions, says Jonathan Armstrong, Partner at Punter Southall Law. "It applies to banks, insurers, investment firms, and other financial institutions, as well as to key third-party service providers.”

Jonathan Armstrong

The regulation’s timing is deliberate, acknowledging the interconnectedness of financial systems across the EU.

“At its core is the recognition that financial systems across the EU are part of each country's critical national infrastructure," says Jonathan. "Many financial services organisations rely on a few key services providers, meaning that an incident compromising one of those providers could have a significant effect on financial services across the EU.”

Technical and regulatory requirements

DORA mandates rigorous Information Communication Technologies (ICT) risk protocols, requiring financial institutions to implement digital risk management systems, establish incident reporting mechanisms, and conduct regular resilience testing.

Additionally, it introduces an oversight framework for critical ICT providers, particularly cloud services. While DORA regulations are directly applicable in Member States, an accompanying directive will require implementation into national law, including the determination of penalties that may encompass criminal sanctions.

Youtube Placeholder

Although DORA is an EU initiative, its influence extends to cross-border financial institutions operating in European markets.

"Whilst DORA is an EU measure, operational resilience is high on the agenda for UK financial firms too, with operational resilience requirements introduced in 2022 coming into full effect in March 2025," says Jonathan.

Meanwhile, the UK has developed its own operational resilience framework, led by the Financial Conduct Authority and the Prudential Regulation Authority. The UK’s regulations, effective since March 2022, will reach full enforcement by March 2025.

This framework has already demonstrated its teeth: TSB Bank was fined £48.65m (US$62.2m) in December 2022 following operational risk management failures during an IT upgrade that disrupted services for thousands of customers.

Many financial services organisations rely on a few key services providers, meaning that an incident compromising one of those providers could have a significant effect on financial services across the EU” 

Jonathan Armstrong, Partner, Punter Southall Law

Securing cross border interactions

For institutions navigating both DORA and the UK’s operational resilience framework, compliance will require significant adjustments to technology procurement, risk management processes, and incident response protocols.

Firms must map critical services, implement testing protocols, and maintain detailed documentation of their digital infrastructure.

 “DORA has caused concern in the financial services, tech, and cybersecurity communities, so it’s important for businesses to understand fully their responsibilities,” says Jonathan.

The coming regulatory landscape signals a shift towards enhanced accountability and systemic risk management, marking a new era for digital resilience in the financial sector.

******

Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

******

Cyber Magazine is a BizClik brand

Share

Featured Articles

BCG Global Cyber Leader: How Gen AI Breaks Security Defences

BCG’s Vanessa Lyon speaks to Cyber Magazine on AI threats, cyber talent shortages and why increased security spending isn't improving corporate defence

Cisco Talos: Tracking Ransomware’s 35 Year Evolution

Martin Lee, Technical Lead for Security Research, Cisco Talos highlights how the ransomware landscape has shifted across the last 35 years

Resilience: Firms Fail to Grasp Cyber Financial Impact

Resilience and YouGov survey reveals 74% of mid to large UK businesses face cybercrime, while ransomware understanding lags behind data breach concerns

SonicWall and CrowdStrike Unite for SMB Security Service

Network Security

FS-ISAC CISO Talks Cyber Strategies for Financial Providers

Cyber Security

Darktrace Reports 692% Surge in Black Friday Cyber Scams

Cyber Security