As the clock ticks toward January 17, 2025, financial institutions across the EU are racing to prepare for the Digital Operational Resilience Act (DORA). This landmark regulation is set to reshape cybersecurity and operational resilience in financial ecosystems. Non-compliance isn’t just about fines.

It opens the door to reputational damage and heightened cyber risks. However, while leaders must go beyond internal systems, addressing risks across their third-party vendors and ecosystems whilst balancing budgets and tight deadlines, DORA compliance can be simplified – and offer new business opportunities.

Is your organisation ready to meet the challenge?

Addressing third-party risks

Financial institutions – including third-party ICT Service Providers like cloud vendors and data centres – must evaluate their DORA readiness. Historically, third-party vendors have not had to shoulder as much regulatory pressure, often shifting the burden of breaches back onto the institutions they serve. For example, third-party cloud providers have previously been able to avoid disclosing their cybersecurity measures, leaving organisations at risk of violating their own policies. Third-party risks such as these have led to high-profile data breaches across 2024, notably, the Santander hack earlier this year, and the recent Finastra breach, which provide examples of underscoring vulnerabilities in financial ecosystems. Third party risk can often lead to a single point of failure which can disrupt an entire financial ecosystem. Alongside the consequences of regulatory fines and reputational damage, single points of failure can also incur extensive costs for institutions due to downtime and reparations.

DORA aims to harmonise security standards across the financial sector to mitigate the risk of third-party breaches. It also aims to enhance resiliency in everyday operations to reduce the risk of single points of failure, by requiring businesses to plan and be prepared for such events. These requirements to amend risk assessments, policies, and perhaps entire IT infrastructures, will extend beyond EU borders: affecting all organisations providing services to EU-based entities.

To ensure DORA compliance, organisations can begin by building third-party risk monitoring and management into its risk management strategy. Opting for a zero-trust framework, which assumes that every identity and device is a threat and deploying privacy-enhancing technologies (PETs) such as tokenisation and encryption will help mitigate the risk of third-party breaches. Through anonymising data at rest, in motion, and in transit (for example, whilst being shared), PETs provide an extra layer of defence and ensure sensitive information is protected even in the event of a breach. Safe data practices such as these enable organisations to securely back-up their processes and data, further mitigating the risk of single points of failure disrupting an entire ecosystem and maintaining DORA compliance.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Electronic Payments International.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Key steps to compliance

Preparing for any new regulation and implementing changes in existing IT infrastructures is always a challenge. However, data security tools can help teams create a structured, simple, and effective plan. By following these six key steps, teams can streamline the journey to compliance and drive down operational costs.

1. Conduct a Gap Analysis

A gap analysis using data protection tools will help companies to review whether existing systems, processes, and risk management measures are aligned with DORA’s requirements.

2. Develop an Action Plan

Create a detailed plan of action for data security and resiliency. Outline the specific steps the organisation will take to meet DORA’s standards, set realistic deadlines, and allocate responsibilities.

3. Strategically Allocate Resources

Allocate an appropriate budget for upgrading technology, bringing in expert assistance, and providing necessary training for the teams that will be responsible for implementing measures to meet the DORA compliance standards.

4. Engage All Stakeholders

DORA compliance requires collaboration across the whole organisation. Ensure senior management, risk teams, and third-party vendors fully understand their roles.

 5. Test, Validate, and Report

Regular testing, such as penetration testing and simulated cyberattacks, will help to identify and address any weaknesses before they turn into real issues. Through enhancing resiliency in everyday operations, organisations mitigate the risks of unexpected denial of service attacks, stress due to business periods, and unexpected natural disasters. Further, reporting on these tests will also demonstrate compliance with DORA.

6. Maintain ongoing monitoring

Compliance requires continuous monitoring to keep up with evolving threats and any changes in the regulation. To enhance efficiency over the long term, parts of this process can become automated.

By following these steps, organisations can enhance cybersecurity, strengthen operational resilience, and build trust with clients by demonstrating their commitment to safeguarding assets.

Unlocking opportunities with DORA

According to the World Economic Forum, businesses that focus on digital resilience and operational efficiency are likely to be more agile, profitable, and forward-thinking in the future. As such DORA compliance can unlock new horizons, enabling organisations to explore cutting-edge processes and responsibly integrate emerging technologies.

For example, one of the world’s largest banks, supporting over 200 million customers across 160 countries, faced the challenge of complying with global privacy regulations while maintaining operational efficiency. Instead of duplicating infrastructure in 130 countries or outsourcing to costly local data processors, the bank implemented a data security platform with privacy-enhancing technologies. This allowed it to protect sensitive customer data globally, comply with regulations, and unlock new use cases like fine-grained marketing and fraud analytics.

This example highlights how DORA compliance can drive innovation and unlock new partnerships and data insights. For financial institutions across the EU, DORA offers the chance to strengthen resilience while exploring transformative business opportunities.

Confidently approaching the DORA deadline

With the January 2025 deadline rapidly approaching, financial institutions across the EU must prioritise compliance to safeguard operations and future advancements. However, ensuring compliance doesn’t have to be complicated, and it can be a strategic opportunity to future-proof operations, strengthen resilience, and drive growth.

Alasdair Anderson is VP of EMEA at Protegrity