How EU's DORA Rules Reshape Global Financial Technology

The European Union's Digital Operational Resilience Act (DORA) will fundamentally change how financial institutions manage their digital infrastructure from January 2025, creating new obligations for both EU-based firms and their global technology providers.

Scope and Impact

The regulation establishes a framework that reaches beyond traditional financial institutions to encompass the technology companies that serve them. 

This includes cloud computing providers, data centres, and software companies that form the backbone of modern financial infrastructure.

Jonathan Armstrong, Partner at Punter Southall Law, a UK-based compliance and technology law firm, says: “DORA is a regulatory framework designed to strengthen the resilience of the financial sector against digital disruptions. It applies to banks, insurers, investment firms, and other financial institutions, as well as to key third-party service providers.”

The timing of DORA follows a period of increased digital vulnerability in the financial sector. In July 2023, CrowdStrike, a cybersecurity provider, experienced a global IT outage that affected financial institutions through its integration with Microsoft's systems.

“At its core is the recognition that financial systems across the EU are part of each country's critical national infrastructure. Many financial services organisations rely on a few key services providers, meaning that an incident compromising one of those providers could have a significant effect on financial services across the EU,” Jonathan says.

Technical Requirements

DORA mandates specific Information Communication Technologies (ICT) risk protocols. Financial institutions must implement digital risk management systems, create incident reporting mechanisms, and conduct regular operational resilience testing.

The regulation introduces an oversight framework for critical ICT providers, particularly cloud services. While DORA regulations apply directly in Member States, an accompanying directive requires implementation into national law.

Member States will determine penalties under DORA, which can affect both individuals and organisations. The framework permits criminal penalties, reflecting a move toward personal accountability for cybersecurity failures.

UK Regulatory Response

While DORA applies to EU institutions, the UK has developed its own operational resilience framework through the Financial Conduct Authority and Prudential Regulation Authority. 

These rules, implemented in March 2022, reach full enforcement by March 2025.

The UK system has demonstrated its enforcement capability. TSB Bank, a UK retail and commercial bank, received a £48.65m (US$62.2m) fine in December 2022 after operational risk management failures during an IT upgrade led to widespread customer service disruption. The bank paid £32.7m (US$41.2m) in customer compensation.

Cross-Border Implications

Financial institutions operating across European markets must navigate both DORA and UK requirements. The regulations affect technology procurement, risk management processes, and incident response protocols.

“DORA has caused concern in the financial services, tech and cyber security communities so it's important for businesses to understand fully their responsibilities. 

“Whilst DORA is an EU measure, operational resilience is high on the agenda for UK financial firms too, with operational resilience requirements introduced in 2022 coming into full effect in March 2025,” Jonathan says.

Financial institutions must now evaluate their technology infrastructure, third-party relationships and regulatory compliance frameworks. 

The regulations require firms to map critical services, implement testing protocols and maintain detailed documentation of their digital infrastructure.

**************

Make sure you check out the latest edition of FinTech Magazine and also sign up to our global conference series – FinTech LIVE 2024. 

**************

FinTech Magazine is a BizClik brand.