DORA cybersecurity Compliance Impact on Fintech CSP’s: What You Need to Know

DORA Overview

EU’s DORA (Digital Operational Resilience Act) is a pivotal EU regulation designed to address ICT (Information Communication Technology) cybersecurity risk in EU FSIs (Financial Services Institutions). The classification for ICT systems is broad and includes any technology that enables communications, data sharing, and global connectivity between humans and between humans and machines. Thus, pretty much all fintech CSPs (Cloud Service Providers). DORA rules were finalized in January 2024 and go into effect January 2025.

The origins of DORA are rooted in the rapid digitization of FSIs during the pandemic when, unfortunately, cyber readiness didn’t follow suit—making the EU financial sector a ripe hunting ground for cyber thieves.

Cyberattacks on EU FSIs more than doubled between Q2 2022 and Q2 2023. And more importantly for fintech CSPs, 78% of Europe’s larger financial institutions experienced a third-party breach in the past year. To quantify the uptick in attacks, regulators examined insurance claims where they determined cyberattacks to be the primary cause of financial loss to EU FSIs.

So what’s the issue? Banks have plenty of money to cover the losses. Because EU FSIs are highly interconnected, if one firm goes down because of a cyberattack it could bring down the entire system—posing a systemic risk to the EU financial system which can’t be ignored by regulators. For fintech CSPs, this Bible verse (or Leonard Cohen song) rings true–For whither thou [FSI] goest, I will go.

Forbes points out, “What is unique about DORA is that it does not only apply to FSIs but extends to a group of non-financial service providers—e.g., third-party IT service providers—including the cloud computing services, software, data analytics services and data centers.” Third party IT service providers in most cases will be fintech CSPs.

While FSIs and the CSPs that support them may find it onerous to comply, for firms that can demonstrate cyber resiliency, DORA provides a unique opportunity to build value and gain competitive advantage. 

The rule is broken into 5 key areas:

  1. ICT Risk Management and Governance Framework`
    • FSI Requirements
      • Mapping ICT systems.
        Identification and classifications of critical applications and functions.
      • Documentation of dependencies between applications, processes, and owners of those applications.
      • Continuous assessments of the framework and its capabilities to document and classify ICT cyberthreats, and steps to mitigate risks.
      • Scenario-based impact analyses to assess how specific scenarios and severe disruptions might affect the business. FSIs should use the results to improve the design of their ICT infrastructure.
    • CSP Considerations and Actions
      • Do a gap analysis of cybersecurity capabilities.
      • Invest now to plug the gaps.
        Do a similar gap analysis and risk remediation on BC and DR capabilities.
      • Build out Internal DORA compliance project plan.
      • Build out client-facing DORA compliance project plan.
  2. Incident Response and Reporting
    • FSI Requirements
      • FSIs need to standardize response processes and report incidents in pre-defied templates stipulated by the regulators.
    • CSP Considerations and Actions
      • Determine whether you can report on ICT-related
        incidents quickly and in a suitable format for EU regulators.
      • If you haven’t done so already, now is a good
        time to invest in incident management and response technologies.
  3. Resilience Testing
    • FSI Requirements
      • FSIs need to test their ICT systems once a year for strengths and vulnerabilities using an independent tester.
      • Results and remediation steps need to be reported to EU authorities.
      • FSIs and third-party providers critical to the financial system need to conduct TLPT (threat-led penetration testing) every three years.
    • CSP Considerations and Actions
      • Per DORA, FSI’s need to manage DORA compliance
        for third-party systems as if those systems were their own.
      • To support clients, a CSP will need to test its systems once a year with an independent internal or external resource per DORA Article 24.
      • Consider adding industry security certifications and audits such as:
        • ISO 27001 (controls and procedures)
        • ISO 27701 (data privacy)
        • SOC 2 Audits (third-party auditing standard)
        • STAR (Security Trust, Assurance and Risk) a
          certification specific to CSPs.

  1. Third-Party Risk Management
    • FSI Requirements
      • FSIs need to manage third-party risk as rigorously as they do for in-house systems.
      • Regulators are going prescribe templates for third-party contractual agreements to include exit strategies, audits, and SLA’s for accessibility, integrity, and security.
      • FSIs won’t be permitted to contract with third-parties that can’t support DORA compliance.
      • Critical third-parties will be subject to direct oversight from EU regulators.
    • CSP Considerations and Actions
      • Work with clients to update contracts per DORA article 30.
      • CSPs should map their third-party vendors/partners and any fourth-party tech those vendors may use.
      • CSPs should understand their third-party vendor/partner’s cybersecurity, BC and DR and capabilities and weaknesses.
  2. Information Sharing and Intelligence
    • FSI Requirements
      • EU FSIs need to share cybersecurity information and intelligence with FSIs in other member states.
    • CSP Considerations and Actions
      • Share DORA compliance project plan with FSIs.
      • Have a plan for capturing lessons learned that can be shared with FSI clients for continuous improvement.

DORA Article 4: Proportionality Principle

When trying to understand to what degree your FSIs and your firm needs to comply, reference DORA Article 4, which points out that FSIs should take “…into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.” DORA rules will provide guidance but ultimately FSIs and their CSPs will need to draw their own conclusions based on Article 4 to the degree which they comply. Fines for noncompliance are 1% of annual revenue for a company, and 1,000,000 EUR for an individual. Over compensating on Article 4 can’t hurt.

The Opportunity

CSPs

Besides the fact that there is no other option but to comply, CSPs can bolster existing relationships now by demonstrating how they will support their FSIs with DORA compliance. See Google example here. CSPs also have an opportunity to gain new FSI logos by using DORA preparedness as a foot in the door against competitors that fail to prepare for DORA.

FSIs

The biggest opportunity for FSIs in 2024 to build value is by reducing data breaches and improving cyber resiliency through DORA compliance. As mentioned above, cyberattacks are the primary cause of financial loss to EU FSIs. Moreover, the average public FSI’s stock price declines 7.5% after a data breach. FSIs are going to depend on their CSP to realize this value-creation opportunity.

conclusion

As former GE CEO Jack Welch aptly points out “Change before you have to.” And “With change there is opportunity.” FSIs will need to change and improve cyber resiliency per DORA or face fines, reputational risk, and the overall loss of value that will result from noncompliance. Thus, FSIs will be forced to contract with CSPs that have the requisite cyber resiliency practices in place, as well as the SLAs and contractual terms required by DORA. Those CSPs that can demonstrate DORA compliance will have a huge competitive advantage over those that can’t.

Please feel free to reach out to me at Graves Light Consulting—our fintech, cybersecurity, and regulatory compliance experts can provide thought leadership and sales enablement so your firm can better support your clients with DORA, sell smarter, and sell more.

dbrown@gravesligntconsulting.com