Fortifying Finance

Fortifying Finance Under DORA

The Digital Operational Resilience Act (DORA), enacted by the EU on 16 January 2023, aims to strengthen the financial sector’s ability to manage ICT-related risks, including those highlighted by the COVID-19 pandemic and rising cyber threats. It introduces a standardized framework for operational resilience, ensuring that financial institutions and their critical third-party providers, like Google Cloud, maintain robust risk management, ongoing resilience testing, and transparent incident reporting. DORA places significant emphasis on securing digital infrastructures and minimizing service disruptions which are crucial for market stability and consumer trust. The regulation will officially apply from 17 January 2025, by which time financial institutions must comply with its rigorous standards[1].

 

Building a Unified Framework for Resilience

Strengthening ICT Risk Management

DORA consolidates a broad range of existing EU regulations[2], establishing a standardised framework for ICT risk management. It mandates financial entities to develop comprehensive ICT risk management systems including regular monitoring, incident reporting, and robust operational resilience testing. These requirements aim to ensure the stability of financial services, even under severe operational disruptions, by incorporating critical cyber threat intelligence and vulnerability monitoring into business continuity plans​.

ICT risk management framework in a nutshell[3]:

  • Identification of all sources of ICT risk
  • Protection of ICT systems
  • Detection of anomalous activities
  • Response and recovery plans and procedures
  • Continuous learning and evolving
  • Crisis Communication policies and plans

 

Service Providers Under Scrutiny

A significant aspect of DORA is its extended oversight of critical ICT providers, including cloud service providers like Google Cloud. This new scrutiny is part of DORA’s third-party risk management rules, ensuring that cloud providers are accountable for maintaining high levels of transparency and resilience. Financial entities are required to assess the risks posed by these third-party services, report on their contracts, and ensure critical functions remain intact, even if disruptions occur. The ESAs (European Supervisory Authorities) will also oversee these providers, ensuring compliance with strict resilience and security standards.

Managing third-party risk in a nutshell:

  • ICT third-party risk as an integral part of the ICT risk management framework
  • Strategy on ICT third-party risk
  • Register of information
  • Pre-contracting analyses over ICT services
  • Promotion of standard contractual clauses
  • Empowerment of supervisory authorities to designate and exercise oversight over critical third-party service providers

 

Proactive Resilience Measures

DORA emphasizes proactive measures such as resilience testing and threat-led penetration testing[4], particularly for financial institutions and their critical ICT systems. These tests ensure that firms can swiftly recover from disruptions while minimising the risk of significant failures. The regulation also mandates regular testing of systems and operational resilience measures to safeguard continuous service availability. For large institutions, advanced testing like TLPT (Threat-Led Penetration Testing) will be required, to ensure vulnerabilities are promptly addressed​.

Digital operational resilience testing in a nutshell:

  • A digital operational resilience testing program as an integral part of the ICT risk management framework
  • Advanced testing based on TLPT
  • Requirements for testers for the carrying out of TLPT

 

Google Cloud’s Example

Google Cloud is actively preparing for the implementation of DORA[5] by enhancing its cybersecurity, resilience testing, and third-party risk management capabilities to support European financial institutions. Recognising DORA’s potential to streamline incident reporting, strengthen operational resilience, and enable direct regulatory oversight of critical ICT providers, Google Cloud is committed to aligning with these new regulations.

Through initiatives such as the Cloud On Europe’s Terms[6], Google Cloud ensures compliance with EU requirements for data sovereignty, security, and sustainability. Its industry-leading security infrastructure, including tools like the Security Command Center[7], enables customers to manage and monitor incidents independently. Additionally, Google Cloud supports rigorous resilience testing, including penetration and disaster recovery tests, helping financial entities meet DORA’s requirements.

 

Conclusion

DORA is more than just another regulatory hurdle; it’s a bold directive reshaping the very foundation of operational resilience in Europe’s financial sector. By demanding enhanced cybersecurity, continuous testing, and tighter third-party oversight, DORA pushes financial entities to not just comply but thrive in an era of relentless digital threats. As the 2025 deadline looms, this is a call to arms for the sector: to evolve from reactive risk management to proactive, ironclad resilience. Service providers like Google Cloud are already embracing this challenge, setting the standard with advanced security infrastructures and collaborative transparency with regulators. The question now is not whether financial institutions are ready to comply, but whether they are ready to lead.

 


Ready to future-proof your financial institution under DORA? Discover how Luxembourg’s financial hub is preparing for the challenges and opportunities ahead. Visit LHoFT for the latest insights, resources, and support to ensure your operational resilience strategies are not only compliant but positioned for leadership in this new era of digital security.


 

Footnotes:

Featured Images: Midjourney

Images https://sosafe-awareness.com/glossary/dora/

[1]    For More Information on the Draft RTS :https://www.eiopa.europa.eu/publications/set-rules-under-dora-ict-and-third-party-risk-management-and-incident-classification_en

[2] McCann FitzGerald LLP (30 June 2023), “Exploring DORA: the EU Digital Operational Resilience Act” http://mccannfitzgerald.com/knowledge/finance/briefing-dora-digital- operational- resilience-act  

[3]  Onur Ozdemir (12 April 2023) “DORA regulation: all your questions answered – Read about the new regulatory framework for digital risk management” https://kpmg.com/lu/en/blogs/home/posts/2023/04/dora-regulation-all-your-questions-answered.html

[4] “What is Threat Led Penetration Testing and why does DORA require it” https://www.secura.com/services/integrated-approach/dora/what-is-threat-led-penetration-testing 

[5] Phil Venables (June 4 2022) “Google Cloud’s preparations to address the Digital Operational Resilience Act” https://cloud.google.com/blog/products/identity-security/what-google-cloud-is-doing-to-prepare-for-dora 

[6] https://cloud.google.com/blog/products/identity-security/helping-build-the-digital-future-on-europes-terms 

[7] https://cloud.google.com/security/products/security-command-center  

Author

Oriane Kaesmann

Oriane began her academic journey with a strong passion for literature and psychology.

However, her fascination with new technologies led her to pursue an LL.M. in Space Law at Luxembourg University. She gained valuable experience by interning at the Luxembourg Space Agency and subsequently joined an energy provider focused on the circular Moon economy, and sustainable electricity production with zero carbon impact.

Motivated by her dedication to sustainability, Oriane ventured into the financial sector. She specialized in sustainable finance, working for an international bank, a renowned Big 4 firm, and a consultancy firm, also focusing on compliance and AML/KYC. In search of cutting-
edge developments in the financial industry, Oriane then joined the LHoFT, where she dedicates her time to research and crafting insightful articles and reports on transformative fields such as artificial intelligence, cryptocurrencies and blockchain, Fintech, Regtech, and inclusive finance.

Share This Story!

White Paper

Financing Green Futures Through DLT Innovation White Paper

White paper Leverage DLT to boost sustainable finance transparency, efficiency, and accountability. This white paper explores the transformative potential of Distributed Ledger Technology (DLT) in advancing sustainable finance, offering a […]
Read More