Alasdair Anderson, VP of EMEA at Protegrity

Addressing Third-Party Risks

Financial institutions — including third-party ICT Service Providers like cloud vendors and data centres — had to evaluate their DORA readiness. Historically, third-party vendors had not had to shoulder as much regulatory pressure, often shifting the burden of breaches back onto the institutions they served. 

For example, third-party cloud providers had previously been able to avoid disclosing their cybersecurity measures, leaving organisations at risk of violating their own policies. 

Third-party risks such as these led to high-profile data breaches across 2024 — notably, the Santander hack, and the Finastra breach — which provided examples of underscoring vulnerabilities in financial ecosystems. 

Third-party risk can lead to a single point of failure which could disrupt an entire financial ecosystem. Alongside the consequences of regulatory fines and reputational damage, single points of failure could also incur extensive costs for institutions due to downtime and reparations.

DORA aims to harmonise security standards across the financial sector to mitigate the risk of third-party breaches. It also aims to enhance resiliency in everyday operations to reduce the risk of single points of failure, by requiring businesses to plan and be prepared for such events. These requirements to amend risk assessments, policies, and perhaps entire IT infrastructures extended beyond EU borders.

Olegs Cernisevs, Chief Technology Officer at Blackcatcard

How will DORA impact the EU fintech landscape? 

Financial organisations had to constantly evaluate, manage and hedge their risk tolerance. This meant everything would be much more plan-oriented than action-oriented.

There were events most organisations didn't plan for — from internet or electricity shortages to even cyberattacks as DORA wanted to prevent. Creating a sturdy ICT security practice took time and effort, but it also created business resiliency and stability, which were very important but sometimes easily dismissed.

New regulations always led to challenges, like the MiCA Act, for example, which made crypto platforms just as compliant as any other financial platform. DORA would force management to take a much more proactive stance and constantly stress-test their IT operational resiliency. Conversely, fintech managers had to ensure suppliers and business partners took their IT security seriously with their third-party risk management.

At Blackcatcard, we viewed regulations as challenges to improve our offerings and we wanted to create a robust product our end users would love. We offered a seamless crypto integration into traditional online banking, and for that to happen, we had to be ahead of the curve when it came to regulations and eventually use that fact to stand out.

Jonathan Armstrong, Partner at Punter Southall Law

Jonathan Armstrong, Partner at Punter Southall Law, gives his insight into what finserv companies should expect now the EU DORA regulation has been passed, on 17 January 2024. 

Jonathan is an expert in cyber security and compliance and technology law.

DORA is a regulatory framework designed to strengthen the resilience of the financial sector against digital disruptions. It applies to banks, insurers, investment firms and other financial institutions, as well as to key third-party service providers.

At its core is the recognition that financial systems across the EU are part of each country's critical national infrastructure. Many financial services organisations rely on a few key services providers, meaning that an incident compromising one of those providers could have  a significant effect on financial services across the EU.

While DORA is an EU measure, operational resilience is high on the agenda for UK financial firms too, with operational resilience requirements introduced in 2022 coming into full effect in March 2025. DORA had caused concern in the financial services, tech and cyber security communities so it was important for businesses to fully understand their responsibilities.

Sean Tilley, Director of Sales EMEA at 11:11 Systems

The impact of being non-compliant

Failure to comply with the regulations could land financial institutions in hot water, resulting in high fines similar to those associated with GDPR. These fines could increase daily until the issue is resolved, hitting organisations hard financially, and also impacting the reputation of the organisation that didn't comply with the regulation.

For example, when a cyber incident occurred, organisations were required to notify authorities and affected parties within a 72-hour window. If they didn't comply, the details of the breach would be made public. As such it was critical that these companies were constantly monitoring their IT environment for possible threats and breaches and were prepared to respond appropriately. 

Partnering with experts to design a strong compliance framework

In terms of preparing for these regulations, every organisation had to undergo a comprehensive resilience review and gap analysis. This would assess how prepared the organisation was to handle a cyber incident and its ability to recover from it swiftly. This was achieved with an in-depth evaluation of key components, which included the current state of security infrastructure, incident response capabilities and ongoing monitoring efforts.

Moran Ashkenazi, Chief Security Officer at JFrog

Cyber security attacks were on the rise, open-source software was being adopted more than ever and the rates of bad actors exploiting vulnerabilities continued to increase. 

The EU had recognised this and introduced DORA to mandate best practices for all financial organisations to avoid blind spots, due to their high-risk nature for individuals, businesses and economies. This limited the risks of being affected by a vulnerability and led to higher visibility across the ICT ecosystem, including the software supply chain, both of which were vital as developer and security teams continued to Shift Left to strengthen security procedures. 

In relation to software development, the act mandated organisations to implement controls that ensured a robust security model for incident prevention. It required continuous monitoring, including third-party risk assessment  — for components and services — automated security testing throughout the software development lifecycle, a documented trail of operational resilience achievements and effective cross-team communication. 

JFrog had embraced this approach for years, supporting organisations that leveraged our end-to-end approach from software design to production. Globally, many organisations and companies used JFrog not only to achieve compliance with European regulations but also to realise business operational and economic efficiencies.

Ravi Khokhar, Global Head of Cloud for Financial Services at Capgemini

Introduced by the European Commission, DORA is aimed at bolstering the financial resilience of the sector in the European Union (EU). The act presents a response to the 2008 financial crisis, where the EU adopted measures to strengthen capital resources and liquidity while reducing market and credit risks.

DORA became fully effective in 2025 to broaden the focus on operational risk management and to ensure that infrastructure and software resilience were integral components for financial institutions and critical information and communication technology (ICT) providers operating within the EU.

Simply put, it required organisations to conduct comprehensive risk assessments and predict potential problems in their system, plus report any incidents that did happen so that they could be tracked, controlled, and stopped from occurring again.

It was important to highlight that DORA is a binding regulation applying directly to all EU Member States eliminating the need for transposition into national law and the complexities associated with national alternatives and discretions.

The hope for this cross-industry supervisory approach to compliance is its ability to prevent illegal activities and disruptions to digital services, ultimately safeguarding society and the economy.

Rinesh Patel, Global Head of Financial Services Industry at Snowflake

What have been the implementation challenges and requirements?

Adaptation may have involved significant investments in technology, resources, staff and time. There are also stricter requirements on managing risks associated with third-party ICT service providers, requiring additional due diligence.

Walk us through DORA’s benefits and the prospect of collaboration

Despite the challenges, the benefits of the regulation are significant. A proactive approach to ICT risks could lead to reduced cyber disruptions, faster recovery times and strengthened customer and investor confidence. DORA also fosters collaboration across the industry, requiring stakeholders to work together and share information, helping to develop a more secure foundation for new ideas.

How does DORA impact service providers? 

The most reliable service providers enables customers to mobilise their data with near-unlimited scale, concurrency and performance while keeping the organisation's data secure.

DORA offers a welcome opportunity for financial service organisations to rethink their cloud and data strategies, ensuring they could efficiently shift data and workloads to avoid downtime or outages and improve resilience.

How have firms developed compliance strategies?

This dialogue was a positive step for the industry, meaning that third-party providers could work together to meet requirements in a robust, compliant way, protecting data at all costs.

To read the full story in the magazine, click HERE.

Explore the latest edition of FinTech Magazine and be part of the conversation at our global conference series, FinTech LIVE. 

Discover all our upcoming events and secure your tickets today.

FinTech Magazine is a BizClik brand