The Digital Operational Resilience Act (DORA) has quietly emerged as a significant regulatory force in the financial landscape, demanding attention and action from industry players across Europe.
DORA solves an important problem, says the European Commission. As the digital transformation of the financial sector accelerates, it also increases the exposure of companies to the risk of a major disruption if technology fails whether through a deliberate cyber attack or ICT system flaws and disruptions.
Highlighting the crucial need for the industry to strengthen its operational resilience and security, DORA introduces a unified supervisory approach across various financial market participants, including banks, payment firms, and investment entities.
It also lays down stringent requirements to ensure consistent security practices throughout the European Union, covering key areas such as ICT risk management, incident management and reporting, operational resilience testing, third-party risk management, and information sharing.
DORA establishes a Union-wide oversight framework for critical ICT third-party providers, designated by the European Supervisory Authorities (ESAs), which include the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA). These ESAs will also play a crucial role in developing regulatory and technical standards under DORA.
While aiming to bolster the financial sector within the EU, DORA’s implications extend beyond the borders of member states. Despite not directly applying to the UK, DORA holds relevance for many UK-based entities operating in the financial space, either due to their cross-border operations or their reliance on EU-based ICT service providers.
DORA came into effect in January 2023 but is enforceable in less than a year on 17 January 2025. But is it really such a big deal? We asked industry experts to share their views.
‘Strategic opportunity’
For Katarina Pranjic, head of policy & regulation at LexisNexis Risk Solutions, a provider of data and advanced analytics, the answer is a resounding yes.
“The significance of DORA cannot be overstated. In an era marked by escalating cyber threats and technological dependencies, DORA’s core objective of enhancing operational resilience within the financial sector is undeniably important. The alignment of regulatory standards across Europe is also a substantial step in the right direction towards harmonisation and standardisation.
“DORA promotes not only regulatory adherence, but a culture of proactive risk management and collaboration. For fintechs, this should be seen as a strategic opportunity. Those firms that prove best at reducing operational risk and building resilience will not only see a rise in credibility, but undoubtedly improved competitiveness gains too..”
DORA: getting shipshape
Yet despite the importance of DORA, it would seem many companies are still grappling with understanding its implications.
AJ Thompson, chief compliance officer at IT consultancy Northdoor, says companies should be doing more to address the complexities of DORA compliance and mitigate risks.
“DORA has come into effect and yet most companies are seemingly unaware of what is involved or the potential ramifications of not adhering,” he said. “Although this [January 2025 deadline] seems a long way off, companies need to start to work now in order to ensure that they are ahead of the game.
“This is after all about ensuring resilience in the face of an increasingly sophisticated threat and so can only be a good thing for the financial sector to ensure the right processes are in place sooner rather than later.”
Echoing Thompson’s sentiments, Fadl Mantash, chief information security officer at Tribe Payments, the UK-based issuer and acquirer processor, highlights the significance attention needed on system updates and operational risk reduction.
“Compliance with DORA could require major investment in system overhauls – the cost of compliance is something that large payment and fintech firms can afford, but it could place intense financial burdens on smaller players,” Mantash explains.
“However, reducing operational risk now has the potential to pay massive dividends in the future, in the form of increased client confidence and collaboration opportunities.
Risk management
DORA is set to reshape the relationship between financial firms and their third-party suppliers. For many entities, particularly those on the buy-side like hedge funds and proprietary trading firms, DORA represents a key moment to establish formalised third-party risk management practices.
But a recent study from management intelligence platform Acuiti that sheds light on the current state of third-party risk management within the financial sector also highlights the urgent need for enhanced practices and preparedness.
It reveals few firms currently meet the full requirements of DORA with exit strategies for critical vendors and the frequency of reviews of third-party relationships identified as key areas of weakness. However, 90 per cent of firms are increasing investment in third-party risk management to meet the requirements of DORA.
“There is significant work to be done by firms across the market to be ready for DORA,” says Will Mitting, founder of Acuiti.
“Currently, the operational resources required to meet the requirements of DORA is the biggest challenge facing most firms in the market in terms of their preparations for compliance. The industry will need to work together with vendors to streamline processes such as information requests in order to reduce the operational burden.”
Taking action
Pranjic suggests that fintechs should focus on thoroughly evaluating their cyber resilience and operational risk management strategies ahead of next year’s deadline.
“Fintechs that embrace the new Act will be able to confidently adapt to the shifting regulatory landscape and emerge stronger,” she adds. “In the run up to January 2025, fintechs should prioritise comprehensive assessments of their cyber resilience and operational risk management frameworks, including enhanced cyber and non-cyber risk management and DORA compliance internally and across the supply chain.”
While Thompson says it is key also to remember that the whole point of DORA is to ensure that financial institutions are able to withstand a cyber-attack or IT incident.
“Putting in place policies and strategies that ensure adherence will as a result also ensure that companies are better protected from attack and resilient enough to carry on business even if a cyber-criminal gets through,” he says.
Mantash suggests that as the deadline for compliance with DORA looms closer, payment firms should view it as more than a regulatory requirement, but instead as an opportunity to strengthen their digital foundations.
“Those that embrace this shift with agility and innovation are best placed to enhance customer trust and operational efficiency,” he said.
