Exploring DORA: What New Regulations Mean for Financial Firms
We normally think of regulations that apply to financial entities as primarily about the management of financial risk, such as measures to ensure that firms are sufficiently well capitalized. Alternatively, they can center on the prevention of financial crimes, as in the case of KYC/AML rules.
But now, owing to the interconnectedness of the digital age, the shortening of settlement cycles, and the expansion of attack surfaces due to more people working remotely, data is coming sharply into focus.
According to TechCrunch, 2024 was a particularly bad year for data breaches, with in excess of 1 billion records stolen. According to The BCI’s Cyber Resilience Report of 2024, 75% of cybersecurity specialists that were surveyed reported a rise in attacks, with 39.4% of them having experienced a successful breach.
With this spotlight on cybersecurity comes a wave of new financial regulations that explicitly deal with information and communication technology (ICT) risk. A landmark in this respect is the EU’s Digital Operational Resilience Act (DORA).
The lowdown
The purpose of DORA is to enhance digital resilience across the EU by obliging financial firms to perform thorough security audits and tests of their network and information systems, ensuring that there are no weak links. This includes the cataloging and reporting of incidents, information sharing, as well as having rigorous contingency plans and failsafes in place should system disruption occur.
The regulation was introduced on January 16, 2023. The EU then offered businesses a two-year grace period to familiarize themselves and take the necessary steps to ensure compliance. DORA came into force on January 17, 2025.
The aim of DORA is to harmonize ICT risk management regulations and practices across the European Union as in the case with other regulations such as MiFID II (Markets in Financial Instruments Directive), and MiCA (Markets in Crypto Assets).
Prior to DORA, the EU had released general guidelines on ICT risk management, however, these did not apply to all financial entities. Individual member states introduced their own rules based on these guidelines, but they have proven difficult for firms to navigate, particularly those that operate in multiple jurisdictions.
DORA aims to improve these standards and to coordinate them across all EU member states, as well as defining all the different types of businesses that are affected. Currently, DORA applies to 20 different types of entities, among these are ICT third-party software and service providers.
DORA concerns a host of third parties that previously wouldn’t have come under oversight such as: Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) providers, cybersecurity services, data center services, data analysis services, network management services, and more.
The six DORA requirements
In order to shore up the digital resilience of the European Union’s financial entities, DORA focuses on six core areas of action.
ICT risk management
Financial entities are now required to introduce comprehensive risk management plans aimed at preventing cyber-attacks and the disruptions that these can lead to. Financial entities are also required to have recovery plans in place should such attacks and their resultant disruptions occur.
ICT third-party risk management
With DORA, third-party providers now also receive oversight. Third-party providers have become crucial to the financial infrastructure by providing key components to financial firms. As such, these financial entities are now responsible for managing the risk associated with external providers. They are now required to conduct a thorough audit of their dependencies, increase the due diligence they practice regarding their selection of third-party vendors, and even include contractual provisions that these third parties are also compliant with DORA regulations.
Digital operational resilience testing
In order to be fully compliant with DORA regulation, financial entities are required to perform resilience testing of their systems. These are essentially cyber-attack drills in which systems are tested for their ability to withstand and recover from penetration. These tests are required to be performed every three years, full reports must be forwarded to the regulator in order for the tests to be validated and signed off on.
ICT-related incidents
Financial entities are now required to be able to identify, classify, and record all ICT incidents that occur. These incidents must be reported to the regulator in a timely fashion so that it may be able to marshal an appropriate coordinated response and to prevent such attacks from spreading further across the financial system.
Information sharing
Financial organizations are also required to share intelligence regarding potential threats and vulnerabilities. This directive encourages a collaborative approach, the idea being that by working collectively, individual financial firms will be able to benefit from the knowledge and experience that other parties have gained. By encouraging such collaboration, DORA hopes to improve digital resilience both individually and collectively across the EU.
Oversight of critical third parties
This final point includes the development of an oversight framework specifically for third-party firms that are considered critical to the financial system. The EU’s three supervisory authorities: The European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) are currently in the process of identifying what they regard as Critical Third-Party Providers (CTPPs), which will be required to report directly to these standards authorities.
This process is currently underway, relevant authorities are required to submit the CTPPs operating in their jurisdictions by April 30, 2025. By July, all organizations designated as CTPP’s will be contacted and alerted as to their new status. A six-week period will then follow in which firms may appeal having been classified as a CTPP. After this period, they will start being overseen by the relevant bodies.
Consolidation vs redundancy
As a fintech technology provider, we observe certain trends that we believe will become key issues for firms seeking to remain competitive and compliant with the spate of new global ICT regulations, of which DORA is just one.
The tension between consolidating technologies for the sake of scalability, efficiency, and reporting, versus the resilience inherent in running multiple systems from multiple providers, is particularly relevant here.
A recent study by Acuiti points to this very tension between consolidation of order management systems (OMS) versus the maintenance of redundancies for the sake of operational resilience.
Consolidation is clearly in the interests of economies of scale, ease of reporting, improved data analytics, and ease of use. Maintaining redundancies, however, provides some protection against worst case scenarios should an issue emerge in any business-critical component, or in the event that such components are proven to be vulnerable to attack.
The study highlights the variation in business models regarding OMS usage, where some businesses opt to have different segments siloed, each with its own OMS system, while others opt to unify these segments and to run as few different OMS systems as possible.
24% of respondents stated that they had reduced the number of OMS applications they rely on, 33% had made no change, while 43% had increased their number of OMS systems.
Conversely, when asked whether they plan to consolidate OMS applications across asset classes, 46% replied “no”, while 33% replied “yes to a limited extent,” and 21% replied “yes, to a significant extent.”
For our part, we are always keen to demonstrate that it’s not an either/or scenario. Consolidation may be achieved, without necessarily sacrificing resilience via a combination of strategies, such as running multiple, horizontal instances of a system, and by maintaining sufficient, geographically separate recovery failsafes.
Digital transformation
In our experience, the above tensions are part of an ongoing trend in digital transformation that’s being felt and responded to differently by different types of financial entities.
Younger, more agile financial institutions, like the wave of zero-commission brokerages and neo banks that emerged over the past decade or so, have enjoyed the advantage of not having to negotiate between legacy systems and current technological requirements.
They’ve been able to build their infrastructures from scratch with scalability, security, and digital resilience as priorities from the beginning. As a result, these entities are far more comfortable with consolidation as a principle of efficient design, rather than it being imposed on them from outside by the costs associated with regulatory compliance, or scalability and competitiveness concerns.
In contrast, it is often the older, better established financial institutions that have more work to do in this regard. They experience dependencies on older technologies, which are more vulnerable to attack, and their redundancies can often be more a function of the ways they have grown and added new verticals to their business models over time, rather than due to an abiding concern with digital resilience. As a result, these are the businesses that we expect will have the longest to-do lists when it comes to ensuring compliance with regulations like DORA.
Of course, this cuts both ways, larger organizations certainly have more to do, but they also have larger budgets and more human capital to assign to the task. Smaller businesses have less to worry about, but also fewer resources and competent team members to perform the kind of in-depth audits and tests that DORA requires.
We believe that some degree of consolidation will become important for firms wishing to remain both compliant and competitive. In this respect, we think that the larger organizations will have to start with the relatively lower hanging fruit. The consolidation of middleware, such as order management systems, could be a good place to start. This seems to be the conclusion that certain financial businesses seem to be coming to, as referenced in the Acuiti survey.
Immutability and recovery
The immutability and recovery of data after cyberattacks or other system failures will be another area that we anticipate investment being funneled into. Entities that have thus far been flying by the seat of their pants, in this regard, are required by DORA to have certain recovery failsafes in place.
This more costly item on the digital resilience to-do list may be where firms opt to allocate their increasing cybersecurity budgets. According to Cymulate, the financial services industry lags behind business services, retail, and technology firms when it comes to security spending as a percentage of overall budget. This is quite a counterintuitive statistic when you consider how much is actually on the line for financial services firms in the event of a successful attack.
The larger incumbents that do not already maintain geographically separate, air gapped, duplicate systems that allow full transaction recovery and replay are probably most likely to be able to absorb the costs associated with such endeavors. But the costs of such redundancies, which can be prohibitive for many smaller firms, also reflect the astronomical cost of failure for larger, systemically important financial entities.
Small to medium financial entities, who may not require such extensive failsafes are also able to build resilience into their organizations by using a multi-node architecture and a geographically distributed cloud infrastructure, as mentioned above. In our experience, the relative affordability of such an approach leads many to want to build this kind of functionality in from the start. Alternatively, these kinds of redundancies may be added over time as young firms experience their first growth spurts and go on to perform their first system migrations in a manner that can serve this growth and meet their future needs.
Conclusion
Changes in market dynamics can occur from the ground up, as customer behaviors evolve in response to a shifting economic climate, but they can also be imposed from the top down by new rules that apply across the board and force change in certain fundamental business practices.
Beyond the much-needed push to increased operational resilience that DORA regulation seeks to legislate, the ensuing shakeup, as firms make necessary changes to meet these requirements, will provide many opportunities to increase competitiveness. Perhaps even for new leaders to emerge in certain verticals.
In our frequent role of trying to squeeze every last drop of efficiency out of a system, we view these new regulations as an opportunity rather than a challenge, and we encourage financial services businesses to also view them in this light.
The changes you make today may not just protect you from the risks of a complex digital world, but may also allow you to cut certain costs, increase efficiency, and gain more actionable insights from the data that flows through your systems.
We’d be more than happy to discuss this or any other ideas that this article has raised with you.