How financial IT becomes resilient: Implement DORA securely

The digital resilience of the financial world is being put to the test: since January 17, 2025, more than 3,600 companies have been required to implement the EU Regulation DORA (BaFin). The new cybersecurity standards require efficient emergency and third-party provider management and the integration of robust measures into ongoing operations. Here's how to implement them.

European financial institutions will continue to face a worryingly high number of cyberattacks in 2025. In 2024 alone, 60 percent of EU companies reported that their business existence was threatened by cyberattacks. The financial sector is under particular pressure – the large amounts of data in banks' IT systems repeatedly attract criminals who have developed effective strategies to specifically exploit vulnerabilities.

ECB stress test shows need for action

In order to better assess the impact of this threat, the European Central Bank has been conducting stress tests since the financial and economic crisis of 2008 to test banks' response to crises (ECB). During the last cyber stress test in 2024, 109 banks participated (ECB). As a result, although banks have a framework for responding to and restoring security, there is still room for improvement in some areas. This includes ensuring business continuity after an attack and strengthening backup measures. There is also a need for action in the review of external service providers. The results of the test fed into the Supervisory Review and Evaluation Process (SREP) of the ECB, which is intended to enable a uniform review of banks' risk profiles and serve as a basis for supervisors to decide on any necessary supervisory measures. The results provide banks with important insights into the robustness of their cybersecurity strategy and offer valuable guidance for action.

DORA strengthens the sector – but remains challenging to implement

The European Union's Digital Operations Resilience Act (DORA) clearly regulates cybersecurity (eiopa). The regulation has been in force since the beginning of the year and is intended to ensure and strengthen the operational resilience of the European financial sector. Specific rules now apply to banks, insurance companies, payment service providers, investment companies and critical third-party providers, which are intended to guarantee digital resilience against attacks and IT disruptions. The components of DORA range from the creation of a uniform EU-wide supervisory and legal framework to the obligation to create robust strategies for identifying and managing security risks: IT systems must in future remain stable and protected even in the event of disruptions and cyberattacks - from data availability to data integrity. In addition, a detailed audit and integration of external service providers into the security structure is mandatory. Companies must not only develop functioning emergency plans but also test and adapt them regularly - every security measure must be documented and can be presented upon request.

Identify vulnerabilities, implement standards

The increased security standards are intended to ensure the security and operability of IT systems even in the event of a disruption or attack. This requires first assessing the individual security situation and identifying vulnerabilities. A detailed GAP analysis (KPMG) helps with evaluation and prioritization, with critical systems such as payment platforms and customer databases always being prioritized. However, the subsequent implementation of the new standards is particularly challenging because changes must be made during ongoing operations—especially for companies with mature IT infrastructures.

Instead of replacing large parts of the IT structure, targeted modular extensions should be implemented that enhance existing systems – for example, tools for real-time monitoring or for automating compliance processes. Technology partners offer solutions that immediately detect suspicious activity and initiate action without jeopardizing ongoing operations. Compliance tasks, on the other hand, can be effectively automated using RegTech solutions. This saves time, enables more efficient risk assessment, and avoids human error.

Review and effectively manage third-party security

Collaboration with third-party providers is crucial, especially in the modern financial sector. DORA sets strict requirements for the management of these third-party providers and the security of digital identities. While such partners are essential for the modern financial sector, inadequate control, concentration risks, and IT security gaps represent significant vulnerabilities – especially since the security measures and resilience strategies of service providers are often difficult for financial institutions to understand.

A failure or security incident on the provider side can have serious consequences for the entire financial sector and expose existing vulnerabilities as potential attack points for cybercriminals. Therefore, financial institutions should schedule regular audits to assess their partners' security standards and resilience plans – especially for critical service providers. Know Your Customer (KYC) is more than just a regulatory requirement; it also helps secure the trust of customers and partners. Precise identity verification is becoming an essential prerequisite for minimizing fraud.

DORA is a challenge and an opportunity

Ensuring compliance with DORA standards is not without its challenges for financial institutions. At the same time, it provides the framework to raise their security standards to a new level and strengthen their resilience, rely on robust processes in the event of an emergency, and quickly restore operability. A modular approach during ongoing operations, the implementation and testing of contingency plans, the optimization of third-party provider management, and the integration of real-time monitoring and compliance enable institutions to meet the requirements. This minimizes both costs and risks while strengthening trust among customers and partners.