EU’s DORA Intensifies Bank IT Scrutiny by 2025

Lilu Anderson
Photo: Finoracle.net

The Impact of the Digital Operational Resilience Act (DORA)

Banks and their IT providers in the European Union are gearing up to face heightened scrutiny under the forthcoming Digital Operational Resilience Act (DORA). Passed last year, this stringent legislation is slated for enforcement in January 2025, aiming to bolster the digital resilience of financial institutions.

Key Requirements Under DORA

DORA mandates that banks implement rigorous IT risk management protocols. This includes conducting regular digital operational resilience testing and sharing information and intelligence on cyber threats and vulnerabilities. Furthermore, banks must address their reliance on third-party providers by managing associated risks and evaluating their "concentration risk," which pertains to outsourcing critical functions to external companies.

The Role of Third-Party IT Providers

According to Joe Vaccaro, general manager of ThousandEyes, part of Cisco, "Third-party providers are integral to delivering critical digital services to customers." Consequently, these providers must participate in testing and reporting processes. Financial institutions are thus encouraged to invest in solutions that help identify and manage dependencies on these providers, ensuring they can deliver and maintain digital services effectively.

Learning from the CrowdStrike Incident

The necessity for such measures was recently underscored by a significant IT outage involving CrowdStrike, a cybersecurity firm. This incident led to the disruption of Microsoft Windows systems, affecting airports, hospitals, and financial services firms. Delta Air Lines was notably impacted, canceling over 5,000 flights and estimating losses of $500 million. In response, Delta has threatened legal action against CrowdStrike, which acknowledges its role in the outage but contends that Delta's competitors managed to restore operations more swiftly.

Addressing the Complex Ecosystem of Vendors

The CrowdStrike incident highlights the critical role of third-party vendors such as cloud service providers in ensuring resilient infrastructure. Larson McNeil, co-head of marketplaces and digital ecosystems at J.P. Morgan Payments, emphasized the complexity of modern business ecosystems, where multiple partners operate together. Understanding these relationships and the risks they pose is vital for maintaining operational resilience.

In conclusion, as banks and their IT providers brace for the implementation of DORA by 2025, it is imperative for them to fortify their digital infrastructures and manage third-party relationships effectively. This proactive approach will not only help prevent incidents like the CrowdStrike outage but will also enhance the overall resilience of financial services in the EU.

Share This Article
Lilu Anderson is a technology writer and analyst with over 12 years of experience in the tech industry. A graduate of Stanford University with a degree in Computer Science, Lilu specializes in emerging technologies, software development, and cybersecurity. Her work has been published in renowned tech publications such as Wired, TechCrunch, and Ars Technica. Lilu’s articles are known for their detailed research, clear articulation, and insightful analysis, making them valuable to readers seeking reliable and up-to-date information on technology trends. She actively stays abreast of the latest advancements and regularly participates in industry conferences and tech meetups. With a strong reputation for expertise, authoritativeness, and trustworthiness, Lilu Anderson continues to deliver high-quality content that helps readers understand and navigate the fast-paced world of technology.