© Copyright Acquisition International 2025 - All Rights Reserved.

Article Image - The Digital Operational Resilience Act: What This Means for the Finance Sector and Its Legacy Technology
Posted 2nd November 2023

The Digital Operational Resilience Act: What This Means for the Finance Sector and Its Legacy Technology

The main objective of the Digital Operational Resilience Act (DORA) is to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. The EU deems this necessary because of the growing risk of depending on Information and Communication Technology (ICT) related services that are increasingly vulnerable to disruptions and cyberattacks.

Mouse Scroll AnimationScroll to keep reading

Let us help promote your business to a wider following.

The Digital Operational Resilience Act: What This Means for the Finance Sector and Its Legacy Technology
IT Security

Third-party custom data and software providers can help mitigate risk and ensure compliance 

Gareth Mapp, CRO, Software Solved

The main objective of the Digital Operational Resilience Act (DORA) is to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. The EU deems this necessary because of the growing risk of depending on Information and Communication Technology (ICT) related services that are increasingly vulnerable to disruptions and cyberattacks.  

It also ensures continuity of critical services so that incidents like the 2018 TSB fiasco cannot be repeated. TSB paid out £48 million to the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) plus £33 million to compensate over five million customers when an IT migration left them locked out of their accounts. DORA addresses five topics aimed at enhancing the resilience of financial entities. These are: ICT risk management, ICT-related cyber incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. 

 

What DORA means for the finance sector 

The regulations mean that financial entities will have to report major ICT-related incidents to the authorities within a specific timeframe. Organisations will also have to report the major ICT-related incidents to affected users and clients immediately. There will also be an obligation to record and keep documentation, archives and records for logging information and activities. In the case of DORA, financial entities are required to record all significant cyber threats, which will require an in-depth incident management capability to monitor, handle and resolve cyber incidents. This includes documenting and archiving the processes dependent on ICT third-party service providers and keeping a register of information on all contractual arrangements. 

 

Understanding supply chain threats 

Whilst risk management, incident reporting and resilience testing are all important elements for all organisations, the two pillars that stand-out is the acknowledgement of the threat from third-parties. Cyber-criminals target supply chains to hit organisations through the ‘back-door’; the relationship which ICT companies have with their clients means that key systems are connected.  

DORA raises the bar on how organisations collaborate with third-parties. This includes accountability over vendors, business partners or other third-parties such as software and cloud providers. In order to be compliant with DORA, financial institutions are responsible for governing the relationship with third-parties. 

DORA came into force at the beginning of 2023 and the regulatory and technical standards will be developed by the European Supervisory Authorities (ESA). They draw up warning and recommendations for risk mitigation in the financial sector across Europe and is affiliated with the European Central Bank. By next year, the ESAs will implement the standards and by the beginning of 2025 the DORA requirements will be enforceable with all financial companies expected to be compliant with the regulation by January 2025.  

 

DORA is unavoidable- so don’t wait to mitigate legacy system risk 

UK companies cannot avoid DORA; its reach basically extends to any enterprise offering ICT services that is considered critical to the supply chain supporting the European financial sector (regardless of whether that enterprise or service is based inside the EU). It is also highly likely that DORA will be made UK-specific law, so there is little point in waiting until this happens. 

DORA also stipulates that financial institutions will be required to conduct ICT risk assessments on legacy ICT systems on a regular basis. As technology progresses, support for older systems dwindles with developers and manufacturers prioritising newer systems, gradually making patches and updates scarce, if non-existent, for legacy ones. This absence of continual updates means vulnerabilities in older software and hardware remain unaddressed, making them prime targets for cyberattacks. 

Also, as employees who maintain legacy systems retire, younger employees are less likely to want or be offered training on legacy systems, creating a skills gap and a further cybersecurity risk. Modern cyber security tools often struggle to integrate with older systems. Legacy systems might lack the necessary functionalities to accommodate advanced security measures, leaving gaps in the defence framework. 

 

Third-party data and software providers can ensure compliance  

Even though 2025 seems a long way off, companies need to start working now to ensure that they are compliant in good time. Industries, especially those with entrenched infrastructures such as: banks, insurance companies and investment firms, cannot easily overhaul their systems without massive disruptions. So, the balance between maintaining legacy systems and transitioning to newer technology is a delicate dance. 

These institutions need to look to custom data and software specialists who can look at the detail of the regulations and establish how far reaching they are for your organisation. Then they can start to define the scope of the project within the context of the risks you are likely to come across as a business. Critical to being compliant to DORA regulations, custom software and data specialists will be able to ensure you have the right layers of technology in place to mitigate day-to-day operational risks. 

 

Don’t compromise operational resilience- put the right controls in now 

By putting in the right controls now you will save yourself time in the long run. Custom data and software specialists will be able to ensure you have no legacy systems that rely on less up-to-date technology and could compromise your operational resilience. Having the right technology in place will enhance the ability of your organisation to withstand and quickly recover from disruption should it occur. 

Whilst the enforcement of the regulation seems that it will be proactive, there is still some uncertainty about the penalties of not being compliant, the way that the regulation has been introduced points to some fairly hefty consequences. It has been suggested that a fine will be issued in perhaps equal to one day’s trading. There is, unlike some other regulations, also a criminal element with charges likely to be brought against companies and individuals who do not adhere to the regulation.  

There is no one-size-fits-all approach to being DORA compliant, but by turning to custom data and software specialists, financial institutions can ensure a clear ICT third-party risk management strategy is in place. Starting your DORA preparations now will ensure you are one step ahead.  

Categories: Finance, Legal, News


You Might Also Like
Read Full PostRead - Eye Icon
UK Businesses Confess They Are Overwhelmed By Volume Of Data
Strategy
23/03/2020UK Businesses Confess They Are Overwhelmed By Volume Of Data

67% of organisations are struggling to access their data to make business decisions.

Read Full PostRead - Eye Icon
easyJet Takes Delivery of Its 250th Airbus Aircraft
Strategy
23/04/2015easyJet Takes Delivery of Its 250th Airbus Aircraft

easyJet and Airbus have celebrated their successful partnership at a ceremony in Hamburg to mark the delivery the airline's 250th Airbus A320 family aircraft. Carolyn McCall, easyJet CEO, Jean-Paul Ebanga, CFM International President and CEO, Didier Evrard, Ai

Read Full PostRead - Eye Icon
Mid Market Top 50
Innovation
02/06/2016Mid Market Top 50

Novimmune is a privately held Swiss bio-pharmaceutical company focused on the discovery, development and commercialisation of antibody-based drugs for the targeted treatment of inflammatory diseases, immune-related disorders, and cancer.

Read Full PostRead - Eye Icon
How to Improve Efficiency at Your Warehouse
News
25/03/2024How to Improve Efficiency at Your Warehouse

How to Improve Efficiency at Your Warehouse Meta: How do you improve efficiency at your warehouse? Read our tips to find out. INSERT IMAGE: https://images.unsplash.com/photo-1586528116022-aeda1613c63d?q=80&w=1771&auto=format&fit=crop&ixlib=rb-4

Read Full PostRead - Eye Icon
Renewables:The Fastest Growing Energy Sector of 2015
Finance
28/10/2015Renewables:The Fastest Growing Energy Sector of 2015

The market for renewable energy in Europe is increasing rapidly, The EU is working to reduce the effects of climate change and establish a common energy policy.

Read Full PostRead - Eye Icon
Discover Why the Leaders in Cell Therapy are Expanding with Title21 Health Solutions
Innovation
18/02/2020Discover Why the Leaders in Cell Therapy are Expanding with Title21 Health Solutions

Top Blood and Marrow Transplant and Immunotherapy programs depend on Title21 Health Solution’s (Title21) technology to manage the patient, product and process data from collection to infusion. We had a chance to catch up with Lynn Fischer, the CEO at Title21

Read Full PostRead - Eye Icon
Tele Columbus Acquisition of PrimaCom
Finance
03/08/2015Tele Columbus Acquisition of PrimaCom

Tele Columbus Acquisition of PrimaCom

Read Full PostRead - Eye Icon
5 Tips For Diversifying Your Portfolio with Exchange-Traded Funds
Finance
06/06/20245 Tips For Diversifying Your Portfolio with Exchange-Traded Funds

As a savvy investor, diversifying your investment portfolio is one key strategy for maximizing your returns. One great way to achieve this is by investing in exchange-traded funds (ETFs).

Read Full PostRead - Eye Icon
Investing in the Potential of 5G – and the Companies Worth Watching
Finance
17/10/2022Investing in the Potential of 5G – and the Companies Worth Watching

The 5G market is projected to be worth $65 billion (£53.6 billion) by 2026, and by 2024, there will be over a billion global 5G subscribers. While the 5G sector has been impacted by scepticism after years of hype, there is likely to be a new phase of competit



Our Trusted Brands

Acquisition International is a flagship brand of AI Global Media. AI Global Media is a B2B enterprise and are committed to creating engaging content allowing businesses to market their services to a larger global audience. We have 14 unique brands, each of which serves a specific industry or region. Each brand covers the latest news in its sector and publishes a digital magazine and newsletter which is read by a global audience.

Arrow