After years of talk and preparation, financial services firms and ICT providers must now comply with the European Union’s Digital Operational Resilience Act (DORA). If the regulation succeeds in its aims, it will significantly improve the financial sector’s ability to withstand and respond to cyber threats and IT failures. New cybersecurity frameworks, incident reporting requirements, and the obligation to regularly test the operational resilience of their IT systems will put financial services providers on a firm footing to weather disruption and prevent service outages.
Implications for UK providers
Critically, while DORA is an EU regulation, it has major consequences for UK-based financial organisations. Europe is a critical market for many large UK banks and insurers; therefore compliance is vital to preserving trust and boosting their relationships with customers. Falling short of the same standards as European banks could potentially lead to a two-tier market, divided into providers that are resilient by default and those that represent a risk to the customers that rely on them.
Up to 20 million people in the UK were affected by cyber-attacks on financial organisations in 2023 alone. The consequences of an attack or outage in financial services are significant, ranging from lost revenue and operational disruption to damage to customer trust and rising regulatory fines. The UK’s Financial Conduct Authority has increasingly emphasized the importance of operational resilience, and DORA’s focus on strengthening these measures through risk management frameworks and incident response plans highlights the need for firms to manage potential cybersecurity threats and system failures effectively.
The challenges of compliance
Organisations need to address four key challenges to align themselves with the same standards of DORA compliance:
1. Overcoming complexity
Financial service providers operate in complex environments that contain countless applications, ranging from trading platforms to fraud detection tools. These applications run on highly distributed cloud infrastructures, draw data from multiple stores, and rely on the support of a variety of third-party vendors. In fact, 91% of banks have initiated their cloud journey, but many are now realising that it comes with increased cybersecurity risks and complex governance requirements. In fact, 84% of IT leaders say multicloud complexity makes it more difficult to protect applications from vulnerabilities and attacks. It also increases the risk of missing tight reporting deadlines due to increased difficulty in monitoring and identifying vulnerabilities or incidents.
2. Vulnerable supply chains
DORA highlights the importance of managing risks tied to third-party ICT service providers. However, financial institutions often face challenges in doing so due to complex supply chains and the autonomy vendors maintain over their security practices. Effectively addressing these external risks involves strong contractual agreements and ongoing monitoring of vendors’ cybersecurity postures.
3. Stretched compliance teams
DORA compliance demands skilled personnel, advanced technologies, and significant investment in incident response capabilities. Yet it is estimated that one compliance professional in a large company can be left to deal with the data of 14,315 people and businesses. Therefore, organisations need to ensure adequate resources are available to ease the pressure on compliance professionals.
4.The burden of new regulations
Change management and establishing procedures for new regulations is time-consuming and susceptible to errors. DORA compliance needs to integrate seamlessly with existing risk management, incident response, and business continuity practices to address those challenges and efficiently manage resources.
The promise of observability
Regardless of DORA, many of these challenges already exist. Financial service providers are no strangers to increasing IT complexity, over-stretched workforces, or worrying over the security practices of their third-party providers. Addressing these issues requires more than traditional monitoring approaches; it calls for deeper insights across an organisation’s entire technology stack. By monitoring their systems more holistically with end-to-end observability, teams are empowered to optimise operations and make informed decisions that help mitigate disruption and improve resilience.
However, it’s important to remember that compliance will only take financial services firms so far. Those across Europe and the UK must be ready to not only meet the baseline requirements of DORA to report on incidents as they occur, but to put their teams in a position to respond instantly to prevent operational disruption. This requires going beyond checkbox compliance measures.
Organisations need to embrace a culture of resiliency first, continuously testing their services to find areas for improvement. Converging observability and security data to support real-time, AI-powered anomaly detection is the optimal way to rapidly assess risks before they escalate into full-blown incidents that breach compliance thresholds and leave customers exposed.
Being compliant and effective
DORA is here to stay. Compliance isn’t negotiable but firms do now have an opportunity to take a proactive stance towards resilience.
Ensuring DORA compliance is just the first piece of the puzzle and a springboard to nurturing a wider culture of resiliency. This will put businesses in the best place to enhance their brand reputation, which in turn will help to retain and attract new customers and ultimately drive growth.
- Fintech & Insurtech
