The way that companies and individuals engage with financial services is changing due to emerging technology, which opens up opportunities for fintechs to provide solutions that enhance customer satisfaction and encourage inclusivity.

However, as new technologies develop, fraudsters have more ways to breach customer information and attack financial institutions online.

Step forward the Digital Operational Resilience Act (DORA), the newest EU rule intended to guarantee that all parties involved in the financial system have sufficient safeguards in place to deal with cyberattacks and other threats to consumers and financial institutions. DORA is scheduled to go into full force in 2025.

How does DORA work?

However, what precisely is DORA, and what are the requirements for fintechs and financial institutions to ensure compliance by 2025?

"The Digital Operational Resilience Act (DORA) is designed to guarantee all participants in the financial system have the necessary measures in place to mitigate and address cyber-attacks and other potential risks," says Ravi Khokhar, Global Head of Cloud at Capgemini.

"The European Commission introduced DORA with the goal of strengthening the sector's financial resilience inside the EU. The EU took measures to increase capital resources and liquidity while lowering market and credit risks, which was why the act was proposed as a response to the 2008 financial crisis.

In order to ensure that infrastructure and software resilience are essential components for financial institutions and crucial information and communication technology (ICT) providers operating within the EU, DORA is anticipated to be fully operational by 2025. This will broaden the focus on operational risk management.

In short, it mandates that organizations carry out thorough risk assessments, anticipate possible issues with their system, and report any incidents that do occur so that they can be monitored, managed, and prevented from happening again.

It's critical to emphasize that DORA is a legally binding regulation that applies directly to all EU member states, doing away with the necessity for national law transposition and the complications that come with national alternatives and discretions.

"This cross-industry supervisory approach to compliance is hoped to protect society and the economy by preventing illicit activities and disruptions to digital services.”

But do all businesses that must abide with DORA currently have the necessary resources in place? And what obstacles must you overcome to get there?

DORA: The difficulties and prospects

It is true that certain organizations will require more modifications than others in terms of a wide range of digital and technology factors. It is obvious that compliance and adaptation are required, and they must be completed within a year.

Khokhar states that standardizing criteria for resilience, requiring active cyber risk management, and emphasizing frequent testing and reporting of IT systems will be challenges for financial institutions.

"Basically, DORA sets consistent standards for the financial services industry that give priority to a strong degree of resilience for quick service recovery after cyberattacks," he continues.

DORA also mandates the use of sophisticated business continuity and disaster recovery procedures within this. Establishing and maintaining an Information and Communication Technology (ICT) risk management strategy is mandatory for businesses.

The difficulties don't end there either. Khokhar continues, "Cyber risk management is the next, and it's a growing challenge across the industry."

In fact, JP Morgan's Head of Asset and Wealth Management, Mary Erdoes, revealed the scope of the problem at the World Economic Forum 2024 in Davos, stating that the bank faces 45 billion hacking attempts daily.

"Overcoming this obstacle and successfully managing cyber risks necessitates the implementation of active procedures that include risk classification, monitoring, documenting, and reporting. Naturally, emergency and recovery plans must be put into place in addition to business management techniques, Khokhar suggests.

Regular IT system testing may present additional difficulties. To guarantee compliance, the testing plan must be updated often and reviewed on an ongoing basis. Vulnerability scans, network assessments, and penetration tests ought to be part of the test.

As was already mentioned, incident reporting and tracking are essential under DORA in order to take preventative action.

"Organizations must notify authorities of cyber events as soon as they occur. Establishing cooperative alliances within the sector would also benefit businesses as it will make the sharing of intelligence and information about cyberthreats easier.

As part of DORA's ICT resilience, IT contractual duties will, in fact, change as well. Khokhar continues, saying that third-party ICT providers would have their contracts modified and have their ICT resilience assessed in accordance with DORA.

"The regulation emphasizes how important it is for entities to actively manage and monitor external risks. It also calls for a comprehensive review of contracts, with the possibility of revisions to bring them into compliance with DORA rules, and the termination of collaboration with non-compliant providers."

Although there are a lot of obstacles to overcome, especially in the short time left before DORA takes full effect, there are also opportunities presented by the upcoming legislation.

According to Khokhar, "DORA offers opportunities for institutions by creating a centralized, all-inclusive framework for ICT risk management." In addition to encouraging collaboration within the EU, DORA might have enough clout to propel the adoption of a digital single market in the financial services industry globally.

To put ICT risk legislation into perspective, DORA provides precise legal advice, particularly for global financial institutions. It reduces the administrative and financial costs related to various rules that apply to financial entities and streamlines complex regulatory frameworks.

The list of tasks by 2025
It is the responsibility of organizations to position themselves for safe future operations within the EU in light of these benefits. On January 17, 2025, DORA is anticipated to take full effect, and there may be a long list of things that need to be done for some people. Khokhar offers his best advice below for organizations looking to implement revolutionary change.

"In order to make sure they don't fall behind, I urge organizations to get started early and take thorough steps to comply with rules.

ICT risk management, ICT incident reporting, digital operational reliance testing, ICT third-party risk, and information and intelligence sharing are the five resilience pillars upon which DORA is built. As such, preparations must be focused on these areas.

"ICT risk management, which necessitates extensive risk assessments to proactively avoid and detect potential threats, is vital for minimizing the likelihood of unanticipated assaults. This pillar exhorts every company to put the necessary safeguards in place, protect risk management, and build a strong framework for ICT risk management.

Institutions must first create a thorough framework for recognizing, categorizing, and managing risks; they must also design plans for risk mitigation, response, and recovery; and they must arrange for management and staff training.

Companies are required by law to submit comprehensive reports on incidents involving ICT, which must include details on the impacted users, data loss, system effect severity, geographic dispersion, service criticality, and economic impact.

This makes it possible to monitor incidents effectively, handle them, and make continuous improvements for improved recovery. In addition to creating internal and external notification channels, businesses should improve their incident classification procedures.

The next pillar is most likely the hardest to complete. Financial institutions are required to conduct threat-based penetration testing as part of the digital operational resilience testing process every three years.

Additionally, because this process might take up to two years, organizations must prepare ahead of time for the regulator-approved testing date of December 20, 2024.

Organizations are required by the ICT third-party risk pillar to incorporate third-party risk management into their risk strategy. Organizations need to develop clear policies and strategies.

To reduce the chance of noncompliance, they must create an extensive third-party registry and carry out frequent third-party audits.

Lastly, businesses are urged to build internal processing communication channels and automate solutions for effective information sharing with other institutions in order to foster cooperation amongst financial services organizations.

On January 17 of this year, the first set of final draft technical standards under DORA were released and sent to the Commission for approval.

The European Parliament and Council must still review the standards before they can be published in the Official Journal of the European Union. Nevertheless, these technical standards provide a solid framework for classifying ICT incidents, a set of rules for ICT third-party service contracts, standardized forms for information registration, and tools and procedures for risk management.

Although achieving complete DORA preparedness by January 2025 won't be simple, doing so is essential for real operational resilience. It won't be easy for any business, and for some players, it might even mean rewriting their entire technological infrastructure in addition to all the other workstreams.

"Businesses and the sector as a whole will benefit greatly from the journey toward DORA readiness, despite its challenges."