Blog

Kaspar Loog, Director for Product Management at LHV Bank recently joined a panel of experts from NTT Data, Red Hat and the European Banking Authority on a Finextra webinar to discuss the incoming European Digital Operational Resilience Act (DORA). The panel shared their experiences and insights into the opportunities and challenges financial institutions face ahead of the compliance deadline in 2025.

With a focus on the operational resilience of financial institutions - a hot topic in the industry for some time - Sumant Kumar of NTT DATA UK&I talked about the particular relevance of DORA for those organisations going through digital transformation. Supply chains are under scrutiny due to the high level of risk and as the market goes more digital. Sumant suggested that, considering the cyber and geopolitical situations evolving around the world, regulators are right to be concerned about digital supply chains.

Nothing new

LHV Bank’s Kaspar Loog told the audience that when you read through the DORA paper, it becomes clear that the new regulations include nothing new – everything banks will need to be doing under DORA, they should already be doing today. He added that cyber threats are no longer something new; indeed the first cyber attack in his home country of Estonia took place more than 16 years ago. “Any company out there needs to be prepared for cyber threats and third-party related topics. If anything, DORA just casts more rigid and bureaucratic umbrella over the things any company should already be doing to protect their business and their customers.”

Ramon Villarreal of Red Hat agreed. “Every single financial institution and organisation working in this market, especially in payments, has had to think about operational resilience and business continuity, cyber threat and attack, for a long time.”

And it’s not exclusively happening in the EU; there is regulation being introduced in the UK and potentially in the US in the near future too. Ramon went on to confirm that although every organisation has been, or at least should have been, focusing on this for a while it is important that it is regulated, and that there is governmental control and structure to apply the rules. He added that this is even more important as we move into the new world of digital and cloud.

Andreas Papaetis of the European Banking Authority (EBA) added that one of the new elements brought in through DORA is the new direct oversight framework, to safeguard operational resilience. The EBA will be the lead overseer of the clinical licence and party providers, having been working with and advising the European Supervisory Authority on the details of DORA since 2019.

Andreas added that more specificities to the regulation will be developed over the next year, ahead of DORA becoming applicable in June 2025, and that there is also a significant amount of international work ongoing. As such international regulators are paying close attention to see how the EU is going to be approaching operational resilience.

The five pillars of DORA

1. ICT risk management – All about identifying critical services. What is your risk management framework, and how does it feed into the core financial services risk management framework? How do you identify and manage risk and proactively manage cyber risk?‍
2. ICT incident management and reporting – How do you report to the regulator? What details do you include? How do you monitor and appropriately manage incidents?
3. Digital operational resilience testing – How are you testing for various risk elements such as cyber? Bear in mind that testing needs to be proportional to the size of the firm.‍
4. ICT third party risk – Having service ownership and monitoring of the risks.‍
5. Information and intelligence sharing – Information sharing agreements. Sumant confirmed that NTT Data is already seeing a lot of activity around sharing threat intelligence across the market, and now the regulator will be enabling this cross-industry sharing for risks and threats to the industry.‍

DORA brings harmonised common rules on ICT risk management and resilience across the entire EU financial sector. The scope of DORA is very broad, 20 different types of financial entities all fall under the scope and must all comply with the same rules. There is now a single rule book on operational resilience, and it will enhance and streamline ICT risk management for the entire financial sector.

Pointing out that despite the EU “supposedly” being a single market, regulation was fragmented before DORA and the playing field was far from level, Kaspar Loog suggested that every country could set their own bar and their own requirements, especially about resilience and how they identify nationally or life critical service providers, including financial institutions.

However, he doesn’t believe it will raise the bar in all regions. He suggested backtracking to some big questions: Is there a problem to solve? Do we have a problem with resilience in the banking sector? Kaspar added, “I understand there is a concern about control and reporting, but this is very typical of a government institution to worry about these things. Let’s look at the consumer. Is this a problem from the consumer perspective? Do we have an issue that banks are down and not able to get the services, or is the problem that there is no data about it?”

While he believes regulation should be in place and should intervene when a problem is identified and confirmed by data, he also believes the industry is in fact more resilient now than it has ever been. Financial institutions are moving to the cloud, and the big companies dominating the cloud service are more reliable than a bank’s own internal servers. If services are now more resilient, not less, he asked why do we need to begin regulating it now?

Ramon disagreed, sharing that he believes operations used to be more resilient when organisations were able to control their infrastructure rather than using commercial off-the-shelf infrastructure. He added that it is also important to keep in mind that this isn’t just about banks and the operations of the bank but about business continuity of a country: “We need to understand that banks are at the core of that.”

In response, Kaspar shared his view that if a company, or bank, is providing a service and it goes down or has a low overall up time, customers will vote with their feet. He asked what are the facts, and whether the EBA may have them to share.

Andreas confirmed that there have been a number of incidents that created disruptions, and the new regulation has been developed over years of industry discussion. The EBA found that financial entities don’t seem to have control of what they outsource, resulting in a strong dependency. He added that they heard of many financial entities locked into specific contracts, making it difficult to amend when it comes to contracting discussions. Supervisory findings showed significant issues identified from the wider cyber security framework at the financial entities, further demonstrating a need for regulation. He also believes there is a need for an element of prevention: “we don’t want something big to hit us and not be able to respond.”

Audience feedback

A poll of the live webinar audience confirmed that few organisations (18%) have a DORA strategy in place. A third have started to talk about strategy implementation, while a quarter have only begun to have conversation about a strategy. Worryingly, 6% have taken no action to date.

How mature is your organisation in regard to Operational Resilience / DORA?

6% - Haven’t discussed or have thoughts on strategy.
17% - Understand the need for strategy.
25% - In early conversations around strategy.
35% - Have started to talk about strategy implantation.
18% - Have a strategy in place.

Sumant confirmed that the poll results are in line with the data NTT is seeing in the market; people are still getting to grips with what needs to be done and how to do it. He said they have found smaller banks are looking into DORA more now, and going through considerations and third-party risks, and many are talking about multi-cloud strategies to minimise risk of downtime.

DORA challenges

Looking at where banks and other financial institutions begin, Ramon shared that one part that must be considered is that there has already been a lot of work with regulation, and it feels as if the sector needs an instruction manual: “When we get into applicability and the strategy of the regulation, there are so many ways, and a widespread approach to how we solve the challenges.”

He went on to add that Red Hat has found smaller banks are surprised by DORA and don’t know what it is or what they need to do. “It is worrying that we’re having those conversations at this late stage, so close to when they need to be compliant.” He also believes a lot of institutions are failing to recognise the benefits DORA can bring to them and their customers.

Andreas agreed that there is still some awareness building to be done, particularly with smaller entities. And, for clarification, he pointed out that in terms of DORA fines and penalties, compliance will be checked by existing supervisory powers, and critical providers will incur administrative fines and penalties if they fail to comply with a request or to provide data on time.

Getting ready for DORA

Kaspar Loog shared that how banks are coping with instant payments in Europe, and their level of up time, is a good example of how they are faring in DORA readiness: “When we look at the amount of down time in the payment network, a real-time payment system, we see there are significant gaps. The older the bank, the more likely it is to go down during the night.

“We can see there is a problem, but uptime is only part of resiliency, alongside acting against external threats. It also shows there are a number of institutions out there who are probably dependent on a sole provider that is sitting on an old platform that is too expensive to upgrade.”

On the other hand, he believes cloud providers have a good enough track record to increase up time.

In conclusion, Sumant Kumar highlighted that the high number of attendees and audience questions on the webinar illustrate that the industry is still learning about this hot topic. He advised those listening to seek advice on the areas where they lack knowledge, and to begin putting a plan together as soon as possible. It will take time to unpack all the elements and regulations that are applicable to their specific business, and they should begin with critical services and wrap other frameworks around that.

Ramon Villareal added that the industry needs to come together more closely, to make DORA a success. Conversations like the Finextra webinar are vital, and need to continue long-term across the industry, not just involving banks but also regulators, technology providers, operations providers, in fact everyone who participates in the industry.

“DORA presents a big opportunity; it is an opener for better and more healthy innovation.”

The panel:

• Gary Wright, Head of Research, Finextra
• Sumant Kumar, CTO, Banking & Financial Services, NTT DATA UK&I
• Kaspar Loog, Director, Product Management, LHV Bank
• Ramon Villarreal, Payments Industry Lead, Financial Services, Red Hat
• Andreas Papaetis, Senior Policy Expert, Financial Innovation & Digital Operational Resilience, European Banking Authority (EBA)