How EU's DORA Rules Reshape Global Financial Technology

Share
How EU's DORA Rules Reshape Global Financial Technology
New Digital Operational Resilience Act (DORA) requires financial institutions and technology providers to meet stringent operational standards from 2025

The European Union's Digital Operational Resilience Act (DORA) will fundamentally change how financial institutions manage their digital infrastructure from January 2025, creating new obligations for both EU-based firms and their global technology providers.

Scope and Impact

The regulation establishes a framework that reaches beyond traditional financial institutions to encompass the technology companies that serve them. 

This includes cloud computing providers, data centres, and software companies that form the backbone of modern financial infrastructure.

Jonathan Armstrong, Partner at Punter Southall Law, a UK-based compliance and technology law firm, says: “DORA is a regulatory framework designed to strengthen the resilience of the financial sector against digital disruptions. It applies to banks, insurers, investment firms, and other financial institutions, as well as to key third-party service providers.”

The timing of DORA follows a period of increased digital vulnerability in the financial sector. In July 2023, CrowdStrike, a cybersecurity provider, experienced a global IT outage that affected financial institutions through its integration with Microsoft's systems.

“At its core is the recognition that financial systems across the EU are part of each country's critical national infrastructure. Many financial services organisations rely on a few key services providers, meaning that an incident compromising one of those providers could have a significant effect on financial services across the EU,” Jonathan says.

Jonathan Armstrong

Technical Requirements

DORA mandates specific Information Communication Technologies (ICT) risk protocols. Financial institutions must implement digital risk management systems, create incident reporting mechanisms, and conduct regular operational resilience testing.

The regulation introduces an oversight framework for critical ICT providers, particularly cloud services. While DORA regulations apply directly in Member States, an accompanying directive requires implementation into national law.

Member States will determine penalties under DORA, which can affect both individuals and organisations. The framework permits criminal penalties, reflecting a move toward personal accountability for cybersecurity failures.

UK Regulatory Response

While DORA applies to EU institutions, the UK has developed its own operational resilience framework through the Financial Conduct Authority and Prudential Regulation Authority. 

These rules, implemented in March 2022, reach full enforcement by March 2025.

The UK system has demonstrated its enforcement capability. TSB Bank, a UK retail and commercial bank, received a £48.65m (US$62.2m) fine in December 2022 after operational risk management failures during an IT upgrade led to widespread customer service disruption. The bank paid £32.7m (US$41.2m) in customer compensation.

Many financial services organisations rely on a few key services providers, meaning that an incident compromising one of those providers could have a significant effect on financial services across the EU” 

Jonathan Armstrong, Partner, Punter Southall Law

Cross-Border Implications

Financial institutions operating across European markets must navigate both DORA and UK requirements. The regulations affect technology procurement, risk management processes, and incident response protocols.

“DORA has caused concern in the financial services, tech and cyber security communities so it's important for businesses to understand fully their responsibilities. 

“Whilst DORA is an EU measure, operational resilience is high on the agenda for UK financial firms too, with operational resilience requirements introduced in 2022 coming into full effect in March 2025,” Jonathan says.

Financial institutions must now evaluate their technology infrastructure, third-party relationships and regulatory compliance frameworks. 

The regulations require firms to map critical services, implement testing protocols and maintain detailed documentation of their digital infrastructure.

**************

Make sure you check out the latest edition of FinTech Magazine and also sign up to our global conference series – FinTech LIVE 2024

**************

FinTech Magazine is a BizClik brand.

Share

Featured Articles

Railsr to Acquire Equals in All-Cash £283m Deal

Railsr has agreed to acquire Equals Group plc in a recommended all-cash deal valuing Equals at approximately £283m

Mastercard: AI Evolution Reshapes Finserv Landscape

Mastercard charts path for enterprise AI in latest Signals report as adoption accelerates across banking and payments sectors

GFT: UK Banks Face Consumer Distrust Over IT Resilience

GFT survey highlights one in four British customers are stockpiling cash amid distrust in financial organisations to maintain reliable digital services

Morgan Stanley: 2025 Economic and Investment Outlook

Financial Services (FinServ)

Deloitte: Are Banks Ready for 2025?

Banking

Money20/20: Oracle & NVIDIA Partners Drive Fintech Surge

Financial Services (FinServ)