By Sarah Draper, General Counsel and Chief Risk Officer, Telehouse
The stability of the finance sector is under threat from cyber attacks and climate-related disruptions to name but two challenges. The average cost of an industry attack can be is as high as $6.08m, according to the IBM Cost of a Data Breach Report 2024, considerably higher than the global average of $4.88m.
To address the challenge, the Digital Operational Resilience Act (DORA) sets out strict standards to help build resiliency among financial organisations. It’s a sweeping regulation that covers firms in the EU and organisations that supply services to them. Primarily, it requires businesses to incorporate incident management and risk assessments, but another key aspect of the regulation is the concept of shared accountability.
Banks and insurers need to take responsibility for their suppliers, including data centre providers. For these partners, DORA requires comprehensive records of the procedures they have in place to meet the regulation’s requirements, and evidence of risk mitigation procedures must be shown when asked for. Compliance with DORA therefore hinges on ensuring that partner security is considered, alongside the tools that these partners can offer to help build resilience.
Establishing a culture of proactive risk management
DORA emphasises the shared responsibility between institutions and technology partners, encouraging all stakeholders in the financial ecosystem to adopt a proactive approach to risk management. Achieving compliance requires institutions to work closely with key suppliers, including data centre providers.
An operational failure in a data centre could result in financial services customers inadvertently breaching the regulation if their services are interrupted. It’s therefore crucial that data centre operators with customers in the finance space maintain secure, reliable and continuous services themselves to meet the regulation’s requirements, even in the face of external disruptions.
Financial services organisations must carefully assess the risk management practices and incident response strategies implemented by their selected data centre provider. In practical terms, this could involve running joint drills for cyber incident containment or ensuring reporting processes for security events are comparable. This can help finance firms to simplify potentially complex reporting requirements stipulated by the regulation.
In the event of a cyber incident, DORA compliance mandates firms to promptly report the breach to regulators, providing details of the incident and the reasons behind why it materialised. If reporting structures are simplified between the firm, its service providers and any other subcontractors involved, this enables the relevant information to be relayed back to the regulator quickly and effectively.
Achieving compliance with key tools
Close cooperation between third-party ICT providers, such as data centres, and financial institutions is essential to meeting DORA’s audit requirements. Additionally, the services and tools provided by these suppliers can help improve the operational reliability of the firms they support.
For instance, data centres maintain highly secure environments via measures such as physical barriers, biometric access controls, CCTV surveillance and robust cyber security protocols. These safeguards protect critical systems and sensitive financial data, strengthening risk management efforts in line with DORA compliance. Access to leading cloud providers enables data to be stored in multi-cloud setups, with workloads spread across multiple providers to enhance security.
Data centres utilise redundant systems, including multiple power feeds and backup generators, to maintain uninterrupted operations, even during power outages, equipment failures or other significant incidents. Financial institutions can therefore avoid the risk of downtime and potential fines. DORA fines can be up to 2% of a company’s annual turnover for non-compliant entities and that is just one type of penalty the regime has in its toolbox.
Data centre providers offer scalable and distributed network connectivity that can handle growing traffic demands while maintaining low-latency performance. This ensures that financial institutions can deal effectively with peak transaction volumes during busy periods, maintain real-time data sharing and enable preparation for open finance initiatives. By allowing consumers to grant permission to third parties to access their financial data, this can lead to the creation of new financial products and services.
By combining these services, data centre providers can serve as a central platform for financial institutions striving to comply with DORA, enabling firms to move away from outdated legacy systems that fall short of today’s resilience standards. And with DORA compliance secured, this acts as the foundation for meeting broader regulatory developments, such as the Framework for Financial Data Access (FFDA), which focuses on seamless data-sharing practices throughout the EU bloc.
Building a secure financial future
DORA is a significant advancement in protecting the financial sector from modern threats. By promoting shared accountability and a proactive approach to risk management, it ensures that institutions and their technology partners are better equipped to handle operational disruptions and meet regulatory expectations. Partnering with a reliable data centre provider is essential to fulfilling these obligations. Secure, scalable and resilient infrastructure supports both compliance and risk mitigation.
By aligning their operations with DORA’s requirements, financial organisations can strengthen their resilience against current risks while preparing for future regulatory challenges at the same time. Leveraging robust tools and forming trusted partnerships will help secure the sector’s long-term stability and adaptability.
