The digital landscape of finance is rapidly evolving, and this growth brings vulnerabilities within the digital infrastructure of financial institutions. The European Union Digital Operational Resilience Act (DORA) is a legislative measure addressing these vulnerabilities by establishing essential standards for cybersecurity across the financial sector in the European Union.
In this analysis, we examine the implications, goals, and potential impact of DORA, focusing on its four main pillars: ICT Risk Management, Incident Management, Third-Party Risk Management, and Threat-led Penetration Testing (TLPT). This data-driven piece highlights why DORA is more than just a regulatory framework; it is a guide for achieving proactive digital resilience in a globally interconnected financial ecosystem.
Strengthening digital defences
The first and foundational pillar of DORA is Information and Communications Technology (ICT) Risk Management, which mandates financial institutions enhance their digital defences. This requirement goes beyond basic cybersecurity measures. This is the basis upon which financial institutions must build their cybersecurity strategies. DORA requires that every financial entity under its jurisdiction develop a robust framework for managing ICT risks, one that moves beyond merely protecting systems from cyberattacks.
This approach ensures that all firms, regardless of their size, meet a consistent level of ICT risk management requirements. Larger institutions may already have sophisticated systems, but smaller firms or those formed through acquisitions may struggle with inconsistencies. Companies operating across multiple regulatory environments must now synchronise their ICT risk management practices, ensuring uniformity across all branches.
Firms managing ICT risk inconsistently, due to acquisitions across various jurisdictions or disparate ICT policies, will now face stringent new expectations under DORA. These include ongoing assessments of risks linked to new ICT initiatives and continuous reviews to ensure practices keep up with evolving threats.
Data from the European Commission shows that over 62% of cybersecurity incidents faced by European financial institutions involve vulnerabilities that could have been mitigated with standardised ICT procedures. In 2022 alone, over 280 major incidents were attributed to weak ICT practices. DORA’s approach to ICT risk management aims to close this gap by encouraging a proactive, risk-centred strategy. While this change will require considerable investment, particularly for those with disorganised risk management systems, the goal is a more secure digital environment through enhanced systems, dedicated staff, and consistent monitoring.
The second pillar of DORA is Incident Management, which ensures a quick and organised response to digital disruptions. In today’s digital world, incidents, ranging from minor errors to major cyberattacks, are unavoidable. DORA focuses not only on resolving these incidents but also on reporting them properly and learning from them to enhance resilience and prevent future occurrences.
Under DORA, financial institutions are required to report incidents promptly and in detail. This includes classifying incidents based on severity, according to the draft Regulatory Technical Standards (RTS). Seven classifications are used to standardise incident reporting, which promotes transparency and helps others learn from each event to strengthen their defences.
Financial institutions must update their Standard Operating Procedures (SOPs) to incorporate these new classification and incident management requirements. Detection systems, response frameworks, training programmes, and audit schedules must be revamped to support these standards.
Recent studies by IBM indicate that early detection and rapid response can reduce the cost of a data breach by nearly 30%. The average cost of a data breach for financial institutions is $5.85 million, meaning early detection could save approximately $1.76 million per incident. By mandating effective SOPs, combined with ongoing training, incident simulations, and audits, DORA aims to ensure financial institutions not only respond to incidents but do so in a way that builds systemic resilience. Although this approach requires substantial investment, it will foster a culture of preparedness and strength across the European financial sector.
Financial institutions are not isolated entities; they operate within interconnected systems that depend on numerous third-party service providers, each with risks. DORA’s third pillar, Third-Party Risk Management, acknowledges the risks that these partnerships pose and aims to eliminate vulnerabilities arising from them.
The interconnected nature of finance means that a cybersecurity breach involving a minor third-party provider can have major consequences for a financial institution. DORA mandates that financial institutions enforce strong ICT risk management protocols not only for themselves but also for their third-party suppliers. Regulators will oversee these suppliers to ensure that third-party entities do not become weak links in the financial chain.
One significant aspect of DORA’s approach is its emphasis on accountability. Financial entities cannot outsource their responsibility for compliance, even if a service is managed by an external party, the primary financial institution remains accountable for managing the related ICT risks. This fundamentally changes how financial institutions approach outsourcing, particularly in ICT, by requiring firms to set clear expectations for their suppliers and conduct regular audits to ensure compliance.
A survey by the Ponemon Institute found that 53% of organisations experienced at least one data breach involving a third-party vendor in the past two years, and the average cost of such a breach was approximately $4.29 million. Under DORA, financial institutions establish stricter controls over their outsourcing processes and conduct frequent audits to mitigate risk and meet regulatory requirements.
Implementing DORA’s third-party risk management standards will increase procurement costs and necessitate more complex contract negotiations. Financial institutions must align third-party contracts to ensure suppliers meet the same obligations as the primary institution. This will change how service providers are evaluated, prioritising their ICT resilience and regulatory adherence.
The fourth pillar of DORA introduces Threat-Led Penetration Testing (TLPT) as a proactive cybersecurity measure. TLPT, inspired by the Threat Intelligence Based Ethical Red Teaming (TIBER-EU) framework, involves simulating cyberattacks across the attack surfaces of major financial institutions. The purpose is straightforward: identify vulnerabilities before they can be exploited by malicious actors.
Unlike traditional audit exercises, TLPT is dynamic and strategic. It involves ethical hackers attempting to identify weaknesses within an institution’s security. The findings are crucial for understanding an institution’s vulnerabilities and enhancing cybersecurity defences. Systemically important financial institutions are the primary targets of TLPT, ensuring that critical parts of the financial system are prepared for real threats.
According to the European Central Bank, TLPT exercises provide insights that lead to improved incident response capabilities and better threat intelligence. Institutions that implemented TLPT saw a 25% reduction in the time to respond to simulated threats. TLPT isn’t just about compliance; it’s about developing preparedness through simulated attacks, ensuring that executives and boards are ready for real cyber threats.
To implement TLPT, financial institutions will need to invest in specialised expertise, both in-house and contracted. However, the benefits, including increased system integrity and reduced vulnerability, outweigh the costs. TLPT is an essential component of transitioning from a reactive to a proactive cyber risk management strategy.
Accountability in the digital age
Accountability and transparent governance are crucial components of DORA. Financial institutions are accountable not only to regulators but also to their boards of directors. Under DORA, the role of boards in overseeing cyber risk will expand, requiring executive teams to acquire the knowledge and skills needed to manage cybersecurity effectively.
This requirement aligns with the NIS 2 Directive, which mandates that senior management be trained to understand cyber risks and integrate these risks into broader operational strategies. Robust reporting structures ensure that boards remain informed about ICT risks and resilience efforts, shifting their role from passive recipients of information to active participants in digital risk management.
DORA encourages an asset-centric approach to ICT risk management. IT assets should be seen as just as important as business assets, forming the foundation of a financial institution’s capabilities. Failing to protect these assets adequately can disrupt business continuity.
The concept of Integrated Risk Management (IRM) is crucial here. Unlike traditional approaches that manage risks separately, IRM provides a comprehensive view, linking ICT risk directly to business continuity and resilience. By treating IT assets as core components of business capability, financial institutions can align risk management strategies to be more proactive and effective.
In practical terms, institutions will need to automate risk management processes. Automated systems allow financial institutions to efficiently identify, assess, and respond to risks, helping them build a fully integrated defence mechanism. The focus is on using digital tools to not only meet compliance standards but also improve efficiency through process automation.
DORA’s broader impact
Although DORA is an EU regulation, its influence will likely be felt globally. Over 45% of non-EU financial institutions with EU clients are already updating their risk management frameworks to align with DORA’s requirements. Financial institutions outside the EU that do business with EU clients or have operations in the EU must adhere to DORA’s stringent ICT and third-party risk management requirements. In this way, DORA sets a new global standard for digital resilience in finance.
Other jurisdictions may soon adopt similar frameworks to ensure that their financial institutions remain compliant and competitive when dealing with European counterparts. Just as GDPR sets a precedent for global privacy standards, DORA’s focus on ICT resilience may establish a benchmark for cybersecurity and operational risk management across the international financial sector.
DORA is more than just a set of regulatory requirements, as it represents a vision for the future of finance that is grounded in resilience, accountability, and proactive digital risk management. While these requirements may seem burdensome, especially for smaller firms, the long-term benefits are undeniable: a secure and stable financial system capable of handling the complexities of the digital age.
For financial institutions, successfully navigating DORA’s requirements will depend on adopting an integrated approach to compliance. ICT risk management, incident management, third-party oversight, and TLPT must all function as part of a cohesive strategy that protects digital infrastructure. Management must be prepared to transition from traditional, isolated risk management practices to a unified, future-oriented strategy that acknowledges the interconnected nature of digital threats.
The financial sector must understand that DORA requires more than just checking off compliance boxes, it calls for a cultural shift within organisations. Digital resilience should be as central to operational success as financial health. Executive management and boards play a critical role in driving this change, moving cybersecurity from a peripheral concern to a core element of strategic planning.
By setting high standards for ICT risk management, transparency, and third-party governance, DORA challenges financial institutions to advance their digital capabilities and build strong defences against an evolving threat landscape. Although these changes may be demanding, they promise a financial system that is compliant and genuinely resilient in the face of ongoing digital evolution.