DORA: New rules for digital resilience in the financial sector

In January 2025, DORA became a reality. For many financial service providers, this means more effort, new processes - and at the same time the opportunity to strategically anchor security and resilience.

Hardly any other sector is as dependent on digital infrastructures as the financial sector. Whether payment transactions, securities trading or customer communication - everything today runs via networked systems. And it is precisely these systems that are increasingly being targeted by cyberattacks. Cyberattacks and data breaches have unfortunately become almost commonplace these days, which has fueled the need for stricter regulatory frameworks.

The EU is responding with a comprehensive set of regulations that provides a digital shield for financial companies: the Digital Operational Resilience Act (DORA). But what does this mean in concrete terms - and how can financial institutions prepare sensibly?

‍

What is DORA?

In response to the growing threat situation, the European Union has created a uniform European framework for digital resilience in the financial sector for the first time with DORA. However, DORA is not only intended to create a uniform supervisory basis, but also to ensure greater IT security and improved crisis resilience across the entire sector.

Who is affected?
In short: almost all regulated financial institutions - banks, insurance companies, asset managers, payment service providers and their IT service providers, even if the latter are based outside the EU.

Important deadline:
The ordinance has been in force since January 2023. All requirements must be implemented by January 17, 2025 - without exception.

‍

Why DORA counts now

Cyber threats are increasing rapidly - as shown by figures from Switzerland and Germany. At the same time, the expectations of supervisory authorities and customers are growing: Security, transparency and availability are no longer nice extras, but business-critical requirements.

Against this backdrop, DORA brings order to a previously fragmented landscape of rules and regulations. The focus here is not on reacting to external influences, but on actively practising digital resilience: systems should ward off disruptions, maintain business processes and get back up and running quickly - even in the event of a crisis.

In an era of increasingly complex IT landscapes - from hybrid infrastructures to multi-cloud environments - financial institutions are facing a new reality: simply protecting their own IT infrastructure is no longer enough; financial institutions must be able to prove at any time how sensitive data is processed, stored and shared internally and externally - a challenging task, but also an enormous opportunity to take their digital infrastructure to a new level.

‍

What DORA requires: The most important requirements

1. ICT risk management
   A comprehensive, documented framework is mandatory. The responsibility clearly lies with the management. It is no longer enough to be aware of IT risks - they must be systematically assessed and addressed.
   
   
2. Incident reporting obligations
   Serious IT incidents, such as those that cause significant service interruptions, data breaches or loss of integrity, must be reported to the supervisory authority immediately - even if not all the details are known yet. Clear processes and well-coordinated teams are crucial here.
   
   
3. Resilience tests
   Financial companies must regularly put their systems through their paces - for example through penetration tests that simulate realistic attack scenarios. The larger the company, the stricter the requirements.
   
   
4. Keeping an eye on third-party providers
   The management of IT service providers is a particularly sensitive issue. Contracts must be DORA-compliant, even with service providers outside the EU - for example, by stipulating contractual clauses that ensure compliance with EU resilience and security standards.

The challenges - and how to meet them

In discussions with customers, we repeatedly encounter similar questions and uncertainties:

• How do we fully document our data processes?
• How do we maintain an overview in multi-cloud environments?
• How do we ensure that our service providers are also DORA-compliant?

"It is no longer enough to secure your own technical infrastructure. Banks and financial service providers must be able to prove at any time how sensitive data is processed, stored and passed on - both internally and externally."

‍

"It is no longer enough to secure your own technical infrastructure. Banks and financial service providers must be able to prove at any time how sensitive data is processed, stored and passed on - both internally and externally."

- Alexander Sommer, our CEO, sums it up in a nutshell

‍

What helps now:

• Carrying out a gap analysis to assess the current status
• Establishment of robust third-party provider management with clear criteria and audits
• Introduction of automated tools for monitoring, reporting and audit trails

‍

Conclusion: From a set of rules to a resilience strategy

DORA is more than just a regulatory must. It is an opportunity to rethink digital security - as an integral part of the corporate strategy. Those who act now will not only be compliant, but also resilient.

‍

‍

For all those who want to delve deeper

In our ePaper we have prepared DORA in a practical way - inclusive:

• Checklists for each field of action
• Specific recommendations for implementation
• Insight into technological solutions that can already provide support today

👉 Download now for free