© Copyright Acquisition International 2026 - All Rights Reserved.

Article Image - The Digital Operational Resilience Act: What This Means for the Finance Sector and Its Legacy Technology
Posted 2nd November 2023

The Digital Operational Resilience Act: What This Means for the Finance Sector and Its Legacy Technology

The main objective of the Digital Operational Resilience Act (DORA) is to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. The EU deems this necessary because of the growing risk of depending on Information and Communication Technology (ICT) related services that are increasingly vulnerable to disruptions and cyberattacks.

Mouse Scroll AnimationScroll to keep reading

Let us help promote your business to a wider following.

The Digital Operational Resilience Act: What This Means for the Finance Sector and Its Legacy Technology

IT Security

Third-party custom data and software providers can help mitigate risk and ensure compliance 

Gareth Mapp, CRO, Software Solved

The main objective of the Digital Operational Resilience Act (DORA) is to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. The EU deems this necessary because of the growing risk of depending on Information and Communication Technology (ICT) related services that are increasingly vulnerable to disruptions and cyberattacks.  

It also ensures continuity of critical services so that incidents like the 2018 TSB fiasco cannot be repeated. TSB paid out £48 million to the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) plus £33 million to compensate over five million customers when an IT migration left them locked out of their accounts. DORA addresses five topics aimed at enhancing the resilience of financial entities. These are: ICT risk management, ICT-related cyber incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. 

What DORA means for the finance sector 

The regulations mean that financial entities will have to report major ICT-related incidents to the authorities within a specific timeframe. Organisations will also have to report the major ICT-related incidents to affected users and clients immediately. There will also be an obligation to record and keep documentation, archives and records for logging information and activities. In the case of DORA, financial entities are required to record all significant cyber threats, which will require an in-depth incident management capability to monitor, handle and resolve cyber incidents. This includes documenting and archiving the processes dependent on ICT third-party service providers and keeping a register of information on all contractual arrangements. 

Understanding supply chain threats 

Whilst risk management, incident reporting and resilience testing are all important elements for all organisations, the two pillars that stand-out is the acknowledgement of the threat from third-parties. Cyber-criminals target supply chains to hit organisations through the ‘back-door’; the relationship which ICT companies have with their clients means that key systems are connected.  

DORA raises the bar on how organisations collaborate with third-parties. This includes accountability over vendors, business partners or other third-parties such as software and cloud providers. In order to be compliant with DORA, financial institutions are responsible for governing the relationship with third-parties. 

DORA came into force at the beginning of 2023 and the regulatory and technical standards will be developed by the European Supervisory Authorities (ESA). They draw up warning and recommendations for risk mitigation in the financial sector across Europe and is affiliated with the European Central Bank. By next year, the ESAs will implement the standards and by the beginning of 2025 the DORA requirements will be enforceable with all financial companies expected to be compliant with the regulation by January 2025.  

DORA is unavoidable- so don’t wait to mitigate legacy system risk 

UK companies cannot avoid DORA; its reach basically extends to any enterprise offering ICT services that is considered critical to the supply chain supporting the European financial sector (regardless of whether that enterprise or service is based inside the EU). It is also highly likely that DORA will be made UK-specific law, so there is little point in waiting until this happens. 

DORA also stipulates that financial institutions will be required to conduct ICT risk assessments on legacy ICT systems on a regular basis. As technology progresses, support for older systems dwindles with developers and manufacturers prioritising newer systems, gradually making patches and updates scarce, if non-existent, for legacy ones. This absence of continual updates means vulnerabilities in older software and hardware remain unaddressed, making them prime targets for cyberattacks. 

Also, as employees who maintain legacy systems retire, younger employees are less likely to want or be offered training on legacy systems, creating a skills gap and a further cybersecurity risk. Modern cyber security tools often struggle to integrate with older systems. Legacy systems might lack the necessary functionalities to accommodate advanced security measures, leaving gaps in the defence framework. 

Third-party data and software providers can ensure compliance  

Even though 2025 seems a long way off, companies need to start working now to ensure that they are compliant in good time. Industries, especially those with entrenched infrastructures such as: banks, insurance companies and investment firms, cannot easily overhaul their systems without massive disruptions. So, the balance between maintaining legacy systems and transitioning to newer technology is a delicate dance. 

These institutions need to look to custom data and software specialists who can look at the detail of the regulations and establish how far reaching they are for your organisation. Then they can start to define the scope of the project within the context of the risks you are likely to come across as a business. Critical to being compliant to DORA regulations, custom software and data specialists will be able to ensure you have the right layers of technology in place to mitigate day-to-day operational risks. 

Don’t compromise operational resilience- put the right controls in now 

By putting in the right controls now you will save yourself time in the long run. Custom data and software specialists will be able to ensure you have no legacy systems that rely on less up-to-date technology and could compromise your operational resilience. Having the right technology in place will enhance the ability of your organisation to withstand and quickly recover from disruption should it occur. 

Whilst the enforcement of the regulation seems that it will be proactive, there is still some uncertainty about the penalties of not being compliant, the way that the regulation has been introduced points to some fairly hefty consequences. It has been suggested that a fine will be issued in perhaps equal to one day’s trading. There is, unlike some other regulations, also a criminal element with charges likely to be brought against companies and individuals who do not adhere to the regulation.  

There is no one-size-fits-all approach to being DORA compliant, but by turning to custom data and software specialists, financial institutions can ensure a clear ICT third-party risk management strategy is in place. Starting your DORA preparations now will ensure you are one step ahead.  

Categories: Finance, Legal, News


You Might Also Like
Read Full PostRead - Eye Icon
Best Private Asset Broking Firm 2022 – United Kingdom
M&A
25/04/2023Best Private Asset Broking Firm 2022 – United Kingdom

Fraser Coutts & Partners is a multi-award-winning specialist private international brokerage and advisory boutique working in the real assets space. Its founder, Fraser Coutts, is an economist, business advisor, and deal broker with over 25 years of experience

Read Full PostRead - Eye Icon
Bad First Impressions Drive One-Third of Consumers to Delete Apps
Strategy
03/12/2020Bad First Impressions Drive One-Third of Consumers to Delete Apps

ForgeRock®, the leading provider in digital identity, today announced the release of volume two of its global report, “The New Normal – Living Life Online.” The study polled 5,000 consumers throughout the U.S., U.K., Germany, Australia and Singapore to

Read Full PostRead - Eye Icon
Making You Feel Happy, Healthy and Wealthy
Finance
10/02/2017Making You Feel Happy, Healthy and Wealthy

Agrawal Associates provides wealth management solutions for their clients. We chat with Girish Agrawal, who explains what the firm provides to clients.

Read Full PostRead - Eye Icon
The Possibilities of P2P Lending
Finance
01/07/2016The Possibilities of P2P Lending

Saving Stream is a highly innovative peer to peer investment platform launched in 2013 by Lendy Ltd. Generally speaking, peer to peer lending allows investors to finance development projects and property purchases.

Read Full PostRead - Eye Icon
The Secret to Success? Find a Trusted Business Advisor
News
08/09/2023The Secret to Success? Find a Trusted Business Advisor

Starting a business is a bit like hiking up a mountain blindfolded – it’s difficult, disorienting, and you never know what unexpected cliffs or pitfalls await around the next bend. The stakes feel high, and one wrong step can send you tumbling. But

Read Full PostRead - Eye Icon
Nordic Capital Acquires RESMAN
Finance
01/04/2015Nordic Capital Acquires RESMAN

Nordic Capital acquire RESMAN

Read Full PostRead - Eye Icon
Paysafecard Launches in New Zealand
Innovation
17/04/2015Paysafecard Launches in New Zealand

paysafecard, the Vienna-based global market leader in prepaid online payment methods, and member of the international Skrill Group, continues its course of international expansion with its launch in New Zealand.

Read Full PostRead - Eye Icon
The Pros and Cons of Owning an Airbnb
Finance
31/08/2022The Pros and Cons of Owning an Airbnb

If you are searching for the pros and cons of renting your home on Airbnb, you are probably thinking of becoming an Airbnb host. Well, in this article we will try and help you figure out if it is a good idea. We will cover a few things you need to have in mind

Read Full PostRead - Eye Icon
Who Is the Best EDI Service?
News
25/04/2025Who Is the Best EDI Service?

Small businesses often need electronic data interchange (EDI) services to better communicate with their clients. For example, a B2B business might send and receive purchase orders and invoices. An EDI utilises a standard format and prompts the user to fill in



Our Trusted Brands

Acquisition International is a flagship brand of AI Global Media. AI Global Media is a B2B enterprise and are committed to creating engaging content allowing businesses to market their services to a larger global audience. We have a number of unique brands, each of which serves a specific industry or region. Each brand covers the latest news in its sector and publishes a digital magazine and newsletter which is read by a global audience.

Arrow