By Richard Sampson, Chief Revenue Officer at Tax Systems
A growing dependency on technology within the finance industry has left businesses vulnerable to security breaches. The last few years have seen an increase in cyber-attacks, and with no sign of this stopping in 2025, keeping security tight has been of growing concern within the finance sector.
In a bid to address this, the EU introduced the Digital Operational Resilience Act (DORA), which came into force in January 2025. DORA requires financial institutions to adhere to guidelines that aim to prevent ICT risks from materialising into security breaches.
In doing so, it aims to enable financial companies to improve their security by enforcing robust measures – financial institutions will be better equipped to prepare for, withstand, and recover from ICT disruptions. Under DORA, financial institutions must collaborate on cyber security by sharing threats and vulnerabilities to utilise collective defenses.
Failing to adhere to DORA can leave financial institutions vulnerable to cyberattacks and disrupt their business, taking it completely offline in some circumstances. In addition, they could face reputational damages and financial penalties – this could be as high as 2% of global annual turnover for financial institutions or €10 million, whichever is higher. Third-party providers can also face fines of up to 1% of its average daily global turnover for as long as six months, or up to €5 million. Companies will also face more frequent scrutiny from regulators.
Implications of DORA
With the ultimate aim being to tighten security across the entire financial landscape, DORA will also affect IT and service providers of DORA-regulated entities to additional scrutiny. Financial institutions will want to also ensure that their IT providers are compliant with DORA, and meet the necessary security standards. Whilst these suppliers themselves are not directly affected by the new regulation, compliance with DORA may mean the difference between winning and retaining customers, or not. It is important to note that financial entities may also request information on the use of subcontractors, as used by the IT vendor, as part of their due diligence.
A range of key activities to consider when working with IT suppliers to uphold DORA standards are:
Risk Assessments, Resilience & Due Diligence: Standards set out by DORA stress the importance of operational resilience. As such companies are expected to utilise a variety of methods to best prepare for, overcome, and withstand attacks. IT and service providers must maintain high levels of risk and incident management by carrying out regular assessments to highlight any potential weakness within their security measures so that these can be addressed. As part of this, organisations are expected to carry out scenario-based assessments to demonstrate where and when anything could go wrong, and the aftermath of a range of different scenarios. Continuity planning is also necessary so businesses can plan how to maintain operations when facing a security issue – companies are expected to strategise for worst case scenarios, to future proof themselves against security breaches.
Contractual Agreements: Even contractual agreements aren’t safe from the stringent measures of DORA. Financial entities and their IT vendors must meet certain requirements as laid out by the act. This includes earmarking business functions as ‘critical or important’, so that, if affected, the impact it would have on the business is understood. Additional requirements apply when these functions are involved. Master Service Agreements, outlining the terms of business between financial institutions and IT vendors, must be updated under DORA to demonstrate they meet the requirements.
Information Register: For financial entities to monitor their ICT third-party risk, DORA requires them to maintain information registers. These registers are standardised central databases that detail the contracts between financial entities and IT suppliers, including any subcontractors that their IT partners use. Information registers are used to track data such as the ICT services utilised, who the providers are, and the supported business and operational functions. Companies storing information registers need to look at their critical or important functions, document ICT third-party providers and their services and utilise standard templates specified by DORA to ensure uniform reporting.
With all of these factors to consider, DORA adds a significant workload to finance and IT teams in terms of both time and resources. This inevitably raises costs for all involved which adds another dilemma – who swallows these costs? Whilst organisations and vendors get to grips with DORA and all of its implications, they will seek the best way to balance the increased service levels with efficiency and cost savings. Although all parties involved may experience a rise in costs, the price of non-compliance is likely to be much greater, in terms of both financial burden and reputational damage.
DORA details strict and stringent criteria for financial institutions, and to avoid the consequences of non-compliance, its crucial businesses stay ahead of the curve and meet the requirements laid out in the act. Failing to take action won’t just leave your business exposed to repercussions, but will leave you vulnerable to cyber-attacks, and in a weak position to recover effectively. Poor preparation now will affect your business’ ability to be operational in the future.
