DORA is here: is financial services prepared to continue innovating in balance with compliance requirements?

The Digital Operational Resilience Act (DORA) is an EU financial services industry (FSI) regulation that came into force on 16 January 2023 and applies as of 17 January 2025. It is a framework for protecting financial services' operational resilience by establishing uniformed rules for ICT risk management, incident reporting, and third party risk.

Other EU regulations, like MiFID II, PSD2 and EMIR, have required firms to implement many elements of DORA but vertically at the product level. DORA requires them to instead implement these elements, such as enhanced third party risk management, horizontally across the entire business.

Like the FCA’s PS21/3, this requires firms to think about what they need to do to ensure a ‘minimum viable bank’, as coined by the IBM Financial Services Cloud Council. This can be defined as the continuity of the (digital) services and third parties that deliver business critical services to us as consumers. 

In support of a tech-first mindset

At the same time as DORA’s implementation, and starting many years before, financial services firms have been moving towards a decentralised technology operating model. This means teams are now using public cloud in conjunction with private cloud and on-premise infrastructure to deliver robust platforms that can address ever-evolving stakeholder needs.

The challenge with a decentralised approach to technology modernisation, is that environments can become scattered and challenging to manage in a secure and effective manner, known as environment sprawl. This is costing organisations significant time and money to manage, and can make complying with regulations like DORA more challenging.

However, flip the perspective and DORA can be seen as an enabler: helping to trigger a shift to a tech-first mindset, future-ready the industry and help protect business continuity.

To help ensure a ‘Minimum Viable Bank’, DORA is asking firms to consider adopting new processes and change ways of working. In a sector that has experienced significant digital transformation, and is trending towards a decentralised operating model to support fast innovation and growth, this may bring challenges to older operating models. But leaders must recognise that adopting DORA’s requirements is more than a regulatory load; it can also assist their modernisation journey. It encourages them to take an aerial view and define how they operate with a tech-first mindset.

Regulators have been clear that DORA isn’t a tick box exercise. It instead can be a way for financial services firms to prepare for the future, helping them to retain a competitive advantage so they can continue to grow securely. Compliance should be seen as a continuum firms can adapt to as technology evolves, and the industry collaborates and learns how to improve together.

DORA also encourages a reduction in concentration risk on a macro scale. This means lowering the industry’s reliance on a handful of tech providers, and ensuring providers have a level playing field with banks if they choose to expand their offerings and enter the financial services market.

Challenges to overcome

With the above said, it’s important to acknowledge that adopting DORA’s requirements will be challenging for some firms. Bigger banks have already been implementing changes at the vertical level, but markets infrastructure, non-universal banks, and smaller firms may be on a different journey.

• DORA may be costly for smaller firms and suppliers

  Certain parts of DORA, such as the enhanced penetration testing requirements, are critical to protect organisations in today’s cybersecurity threat landscape. But they might be expensive to implement for smaller FSI organisations that aren’t yet following the likes of the TIBER-EU framework. Suppliers (like IT providers) also become subject to increased risk assessments, contractual requirements, and oversight, which may mean they pass on costs to financial services customers.

• Navigating fourth- and fifth-party risks

  Firms have been managing and securing against third-party risks for some time, but fourth- and fifth-party risks are increasingly what’s causing significant incidents. Financial services firms must now have visibility over their entire technology supply chain to reduce the potential risk surface area as much as possible.

• Threat intelligence and incident-sharing communications

  Interpretations and definitions within threat intelligence and incident-sharing differ between countries, organisations, and even teams. This means, despite knowledge sharing being of value to all organisations, it’s currently difficult to do effectively.

  The onus is on firms, and their suppliers, to embrace a more open way of communicating threats and incidents. Ultimately, this should not be seen as an area of competition, and will actually benefit the wider financial system.

• Ownership of operational resilience

  Finally, because DORA requires organisations to think horizontally about overall operational resilience, there’s debate over which team — IT, ops, compliance, risk, procurement, legal — should manage transformation. Arguably, it should be all of the above. Technology has become the glue that unites the entire business, and everyone should upskill to be tech-savvy enough to support DORA implementation.

Open hybrid cloud platforms for efficiency, resilience, and optionality

To implement DORA, firms must adopt a tech stack that helps them plan and design for potential failure and optionality. Designing for potential failure supports cybersecurity preparedness, while optionality means organisations can pick the most cost-effective, secure, and efficient route to achieve their goals.  

Implementing the next generation of technology itself is one thing - whether generative AI tools, open hybrid cloud or other emerging tech. Equally important is making sure that the systems - people, process, technology, business model, governance and culture - are resilient and adaptable.

To this end, the decentralised operating models and environment sprawl that are currently in place might not be the best option for fast-paced technology-driven change. The more complex an IT estate is, the harder it is to monitor for and mitigate against threats.

This is where hybrid cloud platforms come in. More than simply having access to both public and private clouds, hybrid cloud refers to the integration and orchestration between any cloud deployment, including multiple public clouds. A hybrid cloud platform based on container technology acts as a common layer across an entire organisation, interoperable with diverse hardware and software, thanks to the use of open APIs, open source and open ecosystem collaboration. Firms gain greater freedom to choose when and where to run workloads, and they can manage and scale applications and services consistently no matter the underlying environment.

This also helps pave the way for generative AI use. Teams across the business can get a consistent, centralised experience when training, maintaining, fine-tuning and deploying AI models in production. A holistic environment also protects against having too many failure points, helps standardise testing and validation to meet regulatory requirements for control and transparency, and supports AI adoption to scale over time.

DORA implementation may be challenging for certain financial services firms, but it should be acknowledged as a step in the right direction for the industry and society as a whole. It pushes organisations to think horizontally, not just vertically, about running operations in a stable, secure, tech-first manner. It also encourages firms to standardise their tech stack, and securely enables application and data portability, netting optionality.  Ultimately, it forces the sector to prepare for the future, and potential risks, and empowers teams to be freed up to innovate and strategically add value to the business.

To learn more about how to build a foundation for operational resilience in financial services, visit Red Hat’s dedicated web page or more in-depth overview and listen to the Coffee Break discussion with Red Hat experts discussing how GenAI can help banks meet compliance obligations.