The EU's Digital Operational Resilience Act (DORA) for financial institutions is in action as of January 17.

Financial organizations must now comply with the new regulations that relate to the management of risk and resilience of ICT systems, including those provided by third-party companies such as data centers and cloud computing providers.

After coming into force on January 16, 2023, financial organizations had two years to get their ducks in a row.

Despite this, research from Orange Cyberdefense suggests that as many as 43 percent of British financial institutions are still looking at DORA and won't be compliant for another three months.

Based on a census of 200 UK CISOs and senior security decision-makers surveyed by Censuswide, challenges to compliance have been cited as a lack of prioritization from the wider organization (28 percent), a short timeline to becoming compliant (25 percent), a lack of skills or knowledge (24 percent), and a lack of visibility over supply chain/third-party partners (23 percent).

DORA has been introduced to address the increasing dependence of the financial services industry on IT, making it vulnerable to cyber attacks or disruptions.

A notable example is TSB, which suffered an outage in 2019 after it failed to test a new data center, leading to two million customers of the UK bank without current account access.

The fallout was massive, with TSB paying nearly £370m ($480m) in "post-migration charges" as a result of the prolonged outage, including for the £25m ($32m) investigation, and CEO Paul Pester losing his job, while other senior executives lost bonus pay.

With many financial institutions turning to data center providers and cloud computing solutions, the regulations extend to those third-party organizations.

“The data center and financial services sectors will experience significant changes due to the implementation of the Digital Operational Resilience Act, which becomes mandatory today," said Adrian Mountstephens, strategic business development for Banking at Equinix. "Critical digital infrastructure providers, like Equinix, may become directly regulated for the first time and will play a critical role in supporting its financial services clients in adhering to stringent requirements."

In 2024 alone, several banks in the EU look to increase their reliance on cloud computing providers, including the likes of Danske Bank and The Co-operative Bank. Lloyds Bank is a customer of IBM and has also signed cloud deals with Google and Microsoft in the last few years. Barclays, meanwhile, is a customer of HPE GreenLake, HPE's Edge-to-Cloud offering, and has 50,000 workloads on the GreenLake platform.

Those external providers are addressed in Article 28 of DORA, which requires financial institutions to consider "the nature, scale, complexity, and importance of ICT-related dependencies," and "the risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and availability of financial services and activities, at individual and at group level."

Financial institutions must report on their ICT contracts at least yearly, and prior to entering contracts must "identify and assess all relevant risks in relation to the contractual arrangement," and "undertake all due diligence on prospective ICT third-party service providers and ensure throughout the selection and assessment processes that the ICT third-party service provider is suitable."

Among the details to be reported are when and what the services are being provided, and where data is to be processed, including storage location.

An exit plan must also be in place should the third-party provider fail to maintain operations for the institutions or not meet regulatory requirements. Financial institutions have the right to monitor, on an ongoing basis, the performance of a third-party provider.

The ICT risk management framework further specifies that it should include "strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets, including computer software, hardware, servers, as well as to protect all relevant physical components and infrastructures, such as premises, data centers, and sensitive designated areas, to ensure that all information assets and ICT assets are adequately protected from risks including damage and unauthorized access or usage."

A "Lead Overseer," will be responsible for assessing "the physical security contributing to ensuring the ICT security, including the security of premises, facilities, and data centers."

Mo Joueid, identity security consultant at security platform SailPoint, said: “Nearly 80 percent of financial organizations are concerned about vulnerabilities resulting from overprovisioning third-party identities or non-employee access, according to our research. Increased visibility into supply chains, particularly relationships with subcontractors and partners, amongst others, will be essential in preparation for DORA.

“As DORA comes into effect, firms must evaluate the entitlements of each entity operating within their systems, ensuring access is granted on a need-to-know basis only. This includes processes that carefully manage the onboarding and offboarding of non-employees, as well as the lifecycle in between.”

The full and final text of the DORA regulations can be viewed here.