In an increasingly digitalized environment, where finances largely depend on advanced technologies, user security and trust are fundamental aspects. This is the rationale behind the creation of the new Digital Operational Resilience Act, commonly known as DORA, which came into effect on January 17, 2025. This key EU regulation, EU Regulation 2022/2554, aims to enhance the digital operational resilience of financial institutions and protect users in the financial sector against risks associated with ICT and operational disruptions.
DORA is structured around five pillars: ICT management and governance, incident reporting, operational resilience testing, third-party risk management, and information sharing. Its goal is to create a robust digital resilience framework capable of ensuring that financial institutions and providers efficiently manage financial operations with safe and continuous functionality, even in the face of adversity, through clear systems and protocols that can respond, prevent, and detect cyber threats. Thanks to DORA, digital platforms like banking applications, payment services, and investment systems will be safer and more reliable for users. Cooperation between financial entities and regulators facilitates information sharing and enables a quick and effective response to potential attacks, minimizing their impact on users. It also introduces a regulatory framework that supervises critical providers, ensuring compliance with the highest security standards to protect end-users from potential failures arising from excessive dependence on third parties.
Among other things, DORA requires financial institutions to conduct regular audits of their providers and to establish mechanisms capable of mitigating risks associated with outsourcing. It also mandates that institutions report significant ICT-related incidents to the relevant financial authorities, thereby improving response capacity and transparency. All participants in the financial ecosystem are strengthened; institutions learn from mistakes, reinforce their systems, and innovate in this environment without compromising security, ultimately benefiting users. New technologies ensure a focus on data protection and trust while promoting sector competition by incentivizing companies to offer better practices and safer, more efficient services.
This represents, without a doubt, a significant advancement in enhancing the security and resilience of the financial sector in the European Union. With its implementation, end users benefit from increased protection against cyber threats, greater transparency, more reliable services, oversight of external providers, responsible innovation, cost reductions, greater financial stability, as well as a coordinated response to various threats and an impetus for connectivity. The Regulation mandates periodic operational resilience testing so that digital platforms can withstand disruptions, allowing users continuous and reliable access to their financial services. Even during unexpected situations or crises, financial entities will continue to operate. Thus, in the event of a massive cyberattack, clients will still be able to use essential services like transfers or payments without significant interruptions.
The adoption of this new regulation by the financial sector has a positive impact that transcends the sector itself, contributing to a safer and technologically advanced society. At this point, it is inevitable to consider the other side of DORA, its downside, the more controversial aspect: the potential negative effects for users.
1.- Compliance with regulatory requirements will generate higher operational costs for institutions. Who will bear these costs? Will they be passed on to users?
2.- Financial regulation and compliance by institutions. Does it hinder the development of new financial technologies accessible to users, as institutions are more concerned with regulatory compliance?
3.- How will smaller financial institutions meet DORA’s requirements? Could this signal the end of competition? If so, users would have fewer options.
4.- Communication: Is it a transparency of responsibilities or a confusion for users regarding their rights?
The new regulation raises many questions. When it comes to applying for a loan, does it distance or bring older users closer? Are we moving towards a more inclusive system? Will the end user be the one to financially bear the cost of a safer and stronger financial system? Ultimately, these are the two sides of a law that advocates for the security and strength of the financial system, the benefits, and potential drawbacks for end users.
Antonio García Rouco
General Director GDS Modellica EMEA