The EU has implemented a vast array of regulations designed to oversee the financial sector. This is essential for maintaining a stable and secure financial market, protecting consumers, and fostering fair competition.

Now, DORA, the Digital Operational Resilience Act, is being introduced. This regulation focuses on strengthening the cybersecurity and digital resilience of the financial sector. Its aim is to better equip EU financial institutions to withstand cyberattacks and digital risks, thereby ensuring the stability of the financial system.

As of January 17, 2025, DORA will be applicable to all financial institutions, including banks, savings banks, insurance companies, asset managers, and financial service providers. This broad scope encompasses entities such as factoring or leasing companies, and even account information service providers like wealthAPI.

Cyberattacks in the financial sector: A growing threat

The interest of cybercriminals in financial institutions is unsurprising, given that these companies deal with two highly valuable assets: money and sensitive data. With the financial sector being highly digitized, it presents an attractive target for cyberattacks. 2023 The number of cyberattacks targeting banks is on the rise. In 2023, BaFin received 235 reports from banks about severe IT issues, including cyberattacks. Although the 2024 data is not yet final, it’s expected to show an increase. This trend is mirrored globally, with JP Morgan reporting a staggering 45 billion suspicious cyber events per day in spring 2024.

hrough DORA, the EU seeks to enhance cybersecurity and digital resilience in the financial sector. By mandating stricter digital safeguards for financial institutions, the EU aims to mitigate risks such as data breaches, ransomware attacks, and operational disruptions. The protection of sensitive customer information, including account and payment details, is a paramount concern.

The overarching goal of these stringent requirements is to safeguard the stability of the financial system. Cyberattacks on individual financial institutions can have systemic implications, affecting the broader financial market. A case in point is the November 2023 cyberattack on the US subsidiary of the Industrial and Commercial Bank of China, which temporarily disrupted US Treasury bond trading and necessitated manual clearing.

Cyberattacks pose a dual threat: they can disrupt critical systems and erode public trust. It is clear that without robust security measures to protect financial data, consumers will be hesitant to embrace digital banking services. The traditional savings account under the mattress could once again become the preferred method of saving.

DORA: Laying the Groundwork for a Secure Digital Financial Future

While DORA presents challenges for financial institutions, it ultimately enhances their digital resilience, offering long-term advantages. But what does this regulation entail? What specific actions are required of financial service providers? The mandates can be categorized into several key areas:

Comprehensive ICT Risk Management

Financial institutions are required to conduct a thorough inventory of all their IT systems, processes, and data, identifying and assessing potential risks. This involves evaluating the likelihood of vulnerabilities being exploited and the potential consequences of such incidents. To mitigate these risks, financial institutions must implement specific measures, such as enhanced technical security controls and employee training.

Enhancing Digital Resilience

Financial institutions need to be able to maintain critical business functions during and after disruptions. Detailed contingency plans must be developed and regularly tested to ensure a swift and effective response to incidents. These regular stress tests are designed to evaluate the resilience of IT systems against a variety of threats.

Transparent incident reporting

DORA mandates that financial institutions must report specific IT incidents to the supervisory authority, BaFin. These incidents can range from cyberattacks to critical system failures. To facilitate effective oversight, incidents must be classified based on their severity and potential consequences.

Enhancing Third-Party Relationships

Financial institutions need to strengthen their relationships with external service providers by ensuring that these providers adhere to stringent security standards. Contracts with third parties must clearly outline cybersecurity requirements and establish protocols for incident response.

 

Implementing DORA necessitates a holistic approach to the IT environment, requiring close collaboration across all relevant departments. While DORA imposes stringent requirements on financial institutions, these measures ultimately contribute to enhanced security.

By enhancing their resilience as mandated by DORA, financial institutions become better prepared to mitigate the impact of disruptions and cyberattacks. This reduces the risk of data breaches, safeguarding sensitive customer information. Consequently, customers and business partners have greater confidence in these institutions. Successful implementation of DORA can significantly enhance an institution’s reputation and competitive advantage.

Specific Measures for DORA Implementation

Although DORA does not dictate specific technical solutions, it establishes clear cybersecurity requirements. These requirements can be met through various concrete measures tailored to each financial institution’s unique circumstances. For example:

• Data Encryption: All sensitive data, both at rest and in transit, must be encrypted to prevent unauthorized access.
• End-to-End Encryption: To protect highly sensitive data, such as online banking transactions, end-to-end encryption is essential.
• Role-Based Access Control (RBAC): Each employee should only have access to the information and systems necessary to perform their job duties.
• Multi-Factor-Authentification (MFA): To enhance security, access to critical systems should be protected by MFA, requiring additional verification beyond passwords.
• Real-Time Monitoring: IDPS systems should continuously monitor the network for suspicious activity and be able to detect and block attacks in real time.
• Unauthorized Access Protection: Firewalls should be used to filter network traffic and block unauthorized connections.
• Regular Updates: Software and systems must be kept up-to-date to address known vulnerabilities.
• Employee Awareness: A comprehensive employee training program is essential to foster a security-conscious culture and minimize the risk of human error.

Challenges in Implementation

The list demonstrates that the challenges of implementing DORA are significant. The EU adopted the regulation in December 2022 and published it in the Official Journal of the European Union on January 16, 2023. Financial service providers were thus given 24 months to implement the requirements.

Time that was needed. Adapting IT infrastructure and training employees is complex and costly. In the worst case, business processes had to be fundamentally revised. Close cooperation between different departments is essential to meet the new requirements.

Large institutions such as banks or insurance companies can address this problem with a lot of expertise and money. Smaller companies may find it more difficult to implement the new requirements due to limited resources and know-how. The higher costs can lead to competitive disadvantages and make it difficult to retain customers. There is a risk that smaller players on the market will be disadvantaged or even disappear altogether.

It is particularly critical for companies that are less digitally affine. DORA will put them to a severe test. Analog processes must be converted and adapted. Digital companies like wealthAPI can, on the other hand, view the regulation calmly. Although I cannot speak for others, our IT infrastructure is fundamentally geared towards security. We have been meeting the requirements stipulated by DORA for a long time. (Read more about our Security Requirements .)

Impact on Consumers: More Security, but Also Higher Costs?

DORA doesn’t only have consequences for financial service providers. Users will also notice effects in the short or long term.

It’s clear that increased security allows customers to conduct their financial transactions with greater confidence. Sensitive customer data such as account information, payment data, and personal data is better protected. This reduces the risk of identity theft and fraud. A stable financial system also protects consumers’ savings and minimizes the risk of losses in financial crises or cyberattacks. This security ensures that consumers can better plan their financial future. In the long term, customers benefit from innovative products and services enabled by DORA. These could include, for example, improved mobile banking apps or personalized financing offers.

However, the higher security requirements could indirectly lead to higher fees or restricted services. To ensure security, certain services could be restricted or made more difficult. This could include, for example, international transfers or certain payment methods. Less profitable products or services could even be discontinued if they do not meet the new security requirements.

DORA – A Milestone, But…

DORA is a significant step forward in enhancing cybersecurity within the financial sector. However, the fight against cybercriminals is a constant race against time. While DORA establishes new standards, cyber attackers are also continuously evolving their tactics.

The success of DORA ultimately depends on how consistently financial institutions implement the new requirements and adapt to the ever-changing threat landscape. In addition to technical measures, the human factor is also crucial. Phishing attacks and social engineering specifically exploit human curiosity and carelessness. Only through a combination of robust IT systems and trained personnel can financial institutions effectively protect themselves against cyberattacks. Continuous employee training and a strong security culture are essential.