How EU's DORA Rules Reshape Global Financial Technology

Share
How EU's DORA Rules Reshape Global Financial Technology
New Digital Operational Resilience Act (DORA) requires financial institutions and technology providers to meet stringent operational standards from 2025

The European Union's Digital Operational Resilience Act (DORA) will fundamentally change how financial institutions manage their digital infrastructure from January 2025, creating new obligations for both EU-based firms and their global technology providers.

Scope and Impact

The regulation establishes a framework that reaches beyond traditional financial institutions to encompass the technology companies that serve them. 

This includes cloud computing providers, data centres, and software companies that form the backbone of modern financial infrastructure.

Jonathan Armstrong, Partner at Punter Southall Law, a UK-based compliance and technology law firm, says: “DORA is a regulatory framework designed to strengthen the resilience of the financial sector against digital disruptions. It applies to banks, insurers, investment firms, and other financial institutions, as well as to key third-party service providers.”

The timing of DORA follows a period of increased digital vulnerability in the financial sector. In July 2023, CrowdStrike, a cybersecurity provider, experienced a global IT outage that affected financial institutions through its integration with Microsoft's systems.

“At its core is the recognition that financial systems across the EU are part of each country's critical national infrastructure. Many financial services organisations rely on a few key services providers, meaning that an incident compromising one of those providers could have a significant effect on financial services across the EU,” Jonathan says.

Jonathan Armstrong

Technical Requirements

DORA mandates specific Information Communication Technologies (ICT) risk protocols. Financial institutions must implement digital risk management systems, create incident reporting mechanisms, and conduct regular operational resilience testing.

The regulation introduces an oversight framework for critical ICT providers, particularly cloud services. While DORA regulations apply directly in Member States, an accompanying directive requires implementation into national law.

Member States will determine penalties under DORA, which can affect both individuals and organisations. The framework permits criminal penalties, reflecting a move toward personal accountability for cybersecurity failures.

UK Regulatory Response

While DORA applies to EU institutions, the UK has developed its own operational resilience framework through the Financial Conduct Authority and Prudential Regulation Authority. 

These rules, implemented in March 2022, reach full enforcement by March 2025.

The UK system has demonstrated its enforcement capability. TSB Bank, a UK retail and commercial bank, received a £48.65m (US$62.2m) fine in December 2022 after operational risk management failures during an IT upgrade led to widespread customer service disruption. The bank paid £32.7m (US$41.2m) in customer compensation.

Many financial services organisations rely on a few key services providers, meaning that an incident compromising one of those providers could have a significant effect on financial services across the EU” 

Jonathan Armstrong, Partner, Punter Southall Law

Cross-Border Implications

Financial institutions operating across European markets must navigate both DORA and UK requirements. The regulations affect technology procurement, risk management processes, and incident response protocols.

“DORA has caused concern in the financial services, tech and cyber security communities so it's important for businesses to understand fully their responsibilities. 

“Whilst DORA is an EU measure, operational resilience is high on the agenda for UK financial firms too, with operational resilience requirements introduced in 2022 coming into full effect in March 2025,” Jonathan says.

Financial institutions must now evaluate their technology infrastructure, third-party relationships and regulatory compliance frameworks. 

The regulations require firms to map critical services, implement testing protocols and maintain detailed documentation of their digital infrastructure.

**************

Make sure you check out the latest edition of FinTech Magazine and also sign up to our global conference series – FinTech LIVE 2024

**************

FinTech Magazine is a BizClik brand.

Share

Featured Articles

GFT & Engine by Starling: Partnering for Banking Evolution

GFT and Engine by Starling unite to deliver cloud-native infrastructure, targeting established banks and new market entrants

Google Cloud Sets AI Agenda at Money20/20 with Vertex

In an era where AI is reshaping finserv, Google Cloud is positioning itself as the enabler of sustainable, enterprise-grade AI deployment

M20/20: Mastercard Maps Out Future of Payments Tech

Mastercard's Chief AI and Data Officer Greg Ulrich discusses how the payments giant is leveraging AI to transform global finance and commerce

LSEG Takes on Digital Identity at Money20/20

Fraud & ID Verification

MONEY20/20: B4B Payments Unveils Tech Consolidation Plans

Digital Payments

Money20/20: DailyPay Disrupts Global Wage Access

Financial Services (FinServ)