© Copyright Acquisition International 2025 - All Rights Reserved.

Article Image - The Digital Operational Resilience Act: What This Means for the Finance Sector and Its Legacy Technology
Posted 2nd November 2023

The Digital Operational Resilience Act: What This Means for the Finance Sector and Its Legacy Technology

The main objective of the Digital Operational Resilience Act (DORA) is to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. The EU deems this necessary because of the growing risk of depending on Information and Communication Technology (ICT) related services that are increasingly vulnerable to disruptions and cyberattacks.

Mouse Scroll AnimationScroll to keep reading

Let us help promote your business to a wider following.

The Digital Operational Resilience Act: What This Means for the Finance Sector and Its Legacy Technology
IT Security

Third-party custom data and software providers can help mitigate risk and ensure compliance 

Gareth Mapp, CRO, Software Solved

The main objective of the Digital Operational Resilience Act (DORA) is to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. The EU deems this necessary because of the growing risk of depending on Information and Communication Technology (ICT) related services that are increasingly vulnerable to disruptions and cyberattacks.  

It also ensures continuity of critical services so that incidents like the 2018 TSB fiasco cannot be repeated. TSB paid out £48 million to the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) plus £33 million to compensate over five million customers when an IT migration left them locked out of their accounts. DORA addresses five topics aimed at enhancing the resilience of financial entities. These are: ICT risk management, ICT-related cyber incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. 

 

What DORA means for the finance sector 

The regulations mean that financial entities will have to report major ICT-related incidents to the authorities within a specific timeframe. Organisations will also have to report the major ICT-related incidents to affected users and clients immediately. There will also be an obligation to record and keep documentation, archives and records for logging information and activities. In the case of DORA, financial entities are required to record all significant cyber threats, which will require an in-depth incident management capability to monitor, handle and resolve cyber incidents. This includes documenting and archiving the processes dependent on ICT third-party service providers and keeping a register of information on all contractual arrangements. 

 

Understanding supply chain threats 

Whilst risk management, incident reporting and resilience testing are all important elements for all organisations, the two pillars that stand-out is the acknowledgement of the threat from third-parties. Cyber-criminals target supply chains to hit organisations through the ‘back-door’; the relationship which ICT companies have with their clients means that key systems are connected.  

DORA raises the bar on how organisations collaborate with third-parties. This includes accountability over vendors, business partners or other third-parties such as software and cloud providers. In order to be compliant with DORA, financial institutions are responsible for governing the relationship with third-parties. 

DORA came into force at the beginning of 2023 and the regulatory and technical standards will be developed by the European Supervisory Authorities (ESA). They draw up warning and recommendations for risk mitigation in the financial sector across Europe and is affiliated with the European Central Bank. By next year, the ESAs will implement the standards and by the beginning of 2025 the DORA requirements will be enforceable with all financial companies expected to be compliant with the regulation by January 2025.  

 

DORA is unavoidable- so don’t wait to mitigate legacy system risk 

UK companies cannot avoid DORA; its reach basically extends to any enterprise offering ICT services that is considered critical to the supply chain supporting the European financial sector (regardless of whether that enterprise or service is based inside the EU). It is also highly likely that DORA will be made UK-specific law, so there is little point in waiting until this happens. 

DORA also stipulates that financial institutions will be required to conduct ICT risk assessments on legacy ICT systems on a regular basis. As technology progresses, support for older systems dwindles with developers and manufacturers prioritising newer systems, gradually making patches and updates scarce, if non-existent, for legacy ones. This absence of continual updates means vulnerabilities in older software and hardware remain unaddressed, making them prime targets for cyberattacks. 

Also, as employees who maintain legacy systems retire, younger employees are less likely to want or be offered training on legacy systems, creating a skills gap and a further cybersecurity risk. Modern cyber security tools often struggle to integrate with older systems. Legacy systems might lack the necessary functionalities to accommodate advanced security measures, leaving gaps in the defence framework. 

 

Third-party data and software providers can ensure compliance  

Even though 2025 seems a long way off, companies need to start working now to ensure that they are compliant in good time. Industries, especially those with entrenched infrastructures such as: banks, insurance companies and investment firms, cannot easily overhaul their systems without massive disruptions. So, the balance between maintaining legacy systems and transitioning to newer technology is a delicate dance. 

These institutions need to look to custom data and software specialists who can look at the detail of the regulations and establish how far reaching they are for your organisation. Then they can start to define the scope of the project within the context of the risks you are likely to come across as a business. Critical to being compliant to DORA regulations, custom software and data specialists will be able to ensure you have the right layers of technology in place to mitigate day-to-day operational risks. 

 

Don’t compromise operational resilience- put the right controls in now 

By putting in the right controls now you will save yourself time in the long run. Custom data and software specialists will be able to ensure you have no legacy systems that rely on less up-to-date technology and could compromise your operational resilience. Having the right technology in place will enhance the ability of your organisation to withstand and quickly recover from disruption should it occur. 

Whilst the enforcement of the regulation seems that it will be proactive, there is still some uncertainty about the penalties of not being compliant, the way that the regulation has been introduced points to some fairly hefty consequences. It has been suggested that a fine will be issued in perhaps equal to one day’s trading. There is, unlike some other regulations, also a criminal element with charges likely to be brought against companies and individuals who do not adhere to the regulation.  

There is no one-size-fits-all approach to being DORA compliant, but by turning to custom data and software specialists, financial institutions can ensure a clear ICT third-party risk management strategy is in place. Starting your DORA preparations now will ensure you are one step ahead.  

Categories: Finance, Legal, News


You Might Also Like
Read Full PostRead - Eye Icon
Mergers and Acquisitions Gain Momentum in European Medical Device Sector
M&A
14/04/2015Mergers and Acquisitions Gain Momentum in European Medical Device Sector

The contribution of US buyers to M&As in Europe is expected to increase, finds Frost & Sullivan.

Read Full PostRead - Eye Icon
New York’s Experts in Medical Litigation
Legal
07/05/2019New York’s Experts in Medical Litigation

Since its inception, the Law Firm of Joseph M. Lichtenstein has become the go-to firm for hundreds of New Yorkers who have suffered at the hands of medical negligence. Recently, the firm found were recognised by Acquisition Intl. as 2018’s Most Outstanding M

Read Full PostRead - Eye Icon
The Only Way is Upp.
News
08/08/2023The Only Way is Upp.

Sometimes, companies could see a decay in income from their marketing channels, but there may not seem to be a reason for it.

Read Full PostRead - Eye Icon
Knowing Your Audience and Talking to Them Clearly
Strategy
19/10/2020Knowing Your Audience and Talking to Them Clearly

No matter what industry you work in there will be a level of marketing required to be able to reach the right people, and not only reach them but reach them with the right message and the correct language to gain their trust. This means that you are able to bu

Read Full PostRead - Eye Icon
Nordic Region Rivals US and Europe for Process Excellence Adoption
Innovation
17/02/2015Nordic Region Rivals US and Europe for Process Excellence Adoption

Nokia Labs Head of Operations Jarkko Pellikka, Ph.D says the Nordic region boasts some of the finest examples of process and operational excellence in the world today.

Read Full PostRead - Eye Icon
Small Business Struggles
Finance
13/08/2015Small Business Struggles

The British Business Bank is regulator of a scheme that ensures small businesses are referred to relevant alternative finance providers in the event of being turned down for bank funding. But what's taking so long?

Read Full PostRead - Eye Icon
The Future of Salon Management: Embracing Technology for Better Results
Innovation
03/03/2023The Future of Salon Management: Embracing Technology for Better Results

Salon management has changed drastically in the past few decades. From the adoption of modern technologies to more efficient operational systems, salons have made significant strides in improving their services.

Read Full PostRead - Eye Icon
Aligning Your Startup Business Strategy with Success
Strategy
27/01/2021Aligning Your Startup Business Strategy with Success

Are you ready to take the plunge into starting your own company? This decision is only the beginning. There are still several steps between making the decision and launching, and skipping any of them can reduce the likelihood of your success. By organizing you

Read Full PostRead - Eye Icon
Novel Biological Medicines
Innovation
01/03/2016Novel Biological Medicines

Batavia Biosciences focuses on accelerating the transition of novel biological medicines from laboratory bench to the clinic with improved success and lower cost.



Our Trusted Brands

Acquisition International is a flagship brand of AI Global Media. AI Global Media is a B2B enterprise and are committed to creating engaging content allowing businesses to market their services to a larger global audience. We have 14 unique brands, each of which serves a specific industry or region. Each brand covers the latest news in its sector and publishes a digital magazine and newsletter which is read by a global audience.

Arrow