By: Charles Southwood, Regional Vice President, Northern Europe and South Africa, Denodo
From January 17th 2025, the Digital Operational Resilience Act (DORA) is set to reshape the financial sector’s approach to IT security and risk management. Introduced by the European Commission, DORA aims to ensure that financial institutions can withstand, respond to, and recover from digital disruptions. It looks to strengthen the financial sector’s resilience to ICT-related incidents and introduces very specific and prescriptive requirements that are homogenous across EU member states.
With the DORA compliance deadline now passed, many organisations are reportedly struggling to meet the requirements. A recent survey by AuditBoard found that 43% of organisations were expected to miss it. This emphasises how a lack of preparedness puts businesses at risk of severe financial penalties and operational restrictions.
To effectively withstand the impact of ICT incidents, organisations must implement robust systems measures and controls, supported by comprehensive operational continuity plans, while also testing their effectiveness on a continuous basis.
The struggle with DORA compliance
Despite having had two years to prepare, financial institutions across Europe are facing significant hurdles in meeting DORA’s stringent demands. Key challenges include:
- Scalability constraints – Financial institutions must ensure all ICT third-party service provider contracts include DORA-specific provisions. For some, this can involve reviewing more than 1,000 contracts.
- Tight timeline – Many organisations feel that the time frame for full compliance is unrealistic given the complexity of implementation. They point out that the second batch of the European Supervisory Authorities’ regulatory technical standards (RTSs) were only finalised in July 2024, leaving limited time for implementation.
- Skill and knowledge gaps – IT and compliance teams often lack the regulatory expertise needed for effective execution.There is limited clarity on definitions of critical or important functions (CIFs) and of critical ICT third-party providers.
The consequences of non-compliance are serious, risking significant financial, operational and reputational repercussions. Institutions found in breach may face fines of up to 2% of their total annual turnover or 1% of their average daily turnover worldwide.
Strong data governance as a critical key component
Strong data governance is the core to DORA compliance. Data needs to be efficiently processed and stored while maintaining its integrity and accessibility. This calls for a clear, comprehensive data governance framework that integrates data management practices into the organisation’s overall risk management strategy.
Compliance with DORA also heavily relies on alignment with existing data protection regulations such as the EU General Data Protection Regulation (GDPR). While DORA requires strong security measures for ICT systems that process financial data, GDPR regulates the processing, storage and protection of personal data. Both of these regulations will need the implementation of security measures to ensure that personal data is secured against unauthorised access, loss or misuse.
To meet these standards, organisations will require a dynamic approach to data integration – one that data virtualisation can deliver.
Data virtualisation to meet the gap
Data virtualisation plays a pivotal role by enabling organisations to apply governance and security policies consistently across all data, all without physically replicating the data. This means companies do not have to pay the costs of moving and housing the data yet still gain all the benefits of data integration.
From a cybersecurity perspective, data virtualisation also minimises the impact and likelihood of a breach through masking out portions of volume-limited or time-limited data access which restricts access to a set duration or volume. With a virtual layer in place, companies – particularly those with global operations, like most financial institutions – can adhere to international privacy laws without compromising business continuity.
This was the key solution for a large financial holding company who was subjected to stringent regulatory oversight as they crossed a $50 billion threshold in assets. To meet compliance demands, the company needed a controlled data environment that ensured that data transfers were fully traceable. Denodo’s data virtualisation platform played a pivotal role here in helping the company to create a Data Services Layer (DSL) with the ability to integrate new data sources and help with the management and movement of data. As a result, the DSL metered usage, monitored in-flight data movement and orchestrated data APIs – allowing the company to manage their data more securely and meet compliance.
The path to compliance
Financial institutions must act swiftly to meet DORA compliance, as further delays are no longer an option. By prioritising robust data governance and implementing data virtualisation, organisations can effectively close the compliance gap and safeguard their operations from potential regulatory penalties.
Companies that take proactive steps now will not only achieve compliance but also strengthen their cybersecurity resilience – positioning themselves for long-term success in an ever-evolving regulatory landscape.
Charles Southwood, Regional Vice President, Northern Europe and South Africa, Denodo
Charles Southwood, Regional Vice President at Denodo Technologies is responsible for the company’s business revenues in Northern Europe and South Africa. He is passionate about working in rapidly moving and innovative markets to support customer success and to align IT solutions that meet the changing business needs. With a degree in engineering from Imperial College London, Charles has over 30 years of experience in data integration, big data, IT infrastructure/IT operations and business analytics.
