Starting January 17, 2025, the Digital Operational Resilience Act (DORA) will become mandatory for all European financial entities, including banks, insurance companies, crypto-asset firms, and financial market infrastructures. This regulation represents a significant step toward bolstering financial institutions’ resilience against digital risks. As cybersecurity becomes a top priority, DORA sets out strict requirements for IT risk management and data protection, aiming to ensure the stability and continuity of the European financial sector, even in the face of major disruptions.

DORA promotes a proactive approach to managing operational risks related to information security through five key pillars:

  • ICT risk management: Financial entities must implement robust processes to effectively manage ICT risks.
  • Incident reporting: Entities are required to report major IT incidents to national authorities.
  • Resilience testing: Financial entities must conduct resilience tests to identify vulnerabilities against cyber threats.
  • Third-party provider management: DORA enforces strict oversight of ICT service providers to ensure they meet high security standards.
  • Information sharing: The regulation encourages cooperation and information-sharing on cyber threats among financial entities.

Implementing these five pillars is the responsibility of each financial entity and requires significant organizational, procedural, technical, legal, and informational preparation. The transition is well underway: a recent Acuiti study reveals that “nearly 90% of companies are increasing their investment in third-party risk management to meet DORA requirements and other regulations.”

For financial and insurance companies, the challenge is twofold. They must not only comply with DORA’s five pillars but also work closely with suppliers that meet the new industry standards. To optimize compliance efforts, companies benefit from managed services provided by their third-party ICT service providers, whose expertise helps smooth the transition.

Image: DORA strengthens ICT risk management, demanding resilience, supplier security and information sharing for optimal compliance © Getty Images
DORA strengthens ICT risk management, demanding resilience, supplier security and information sharing for optimal compliance © Getty Images

Is the DORA compliance deadline too short?

The timeframe between the finalization of DORA’s regulatory requirements and its enforcement is tight, leaving financial entities limited time to adapt. At SBS, many clients have expressed concerns over the tight deadline. However, these concerns should be considered in context:

• The regulatory shift surrounding digital resilience is not a one-off event; it’s a long-term process that requires a multi-year, multi-dimensional approach. The goal is to gradually integrate the new requirements.

• It’s an evolving process. While legal compliance is the end goal, the journey for financial institutions and supervisory authorities goes beyond simple adherence to the rules, continuing until regulations are fully implemented.

• Adaptation must be based on operational risk analysis. Successful financial institutions focus on identifying critical processes and information systems, such as core banking systems that centralize business value, to optimize the cost and timeline of DORA compliance.

What strategy should you adopt?

According to a McKinsey study, institutions are planning to spend between €5 million and €15 million on DORA compliance. Additionally, almost four in 10 financial entities and ICT providers dedicate more than seven full-time employees to their DORA programs. Financial institutions, therefore, need to be pragmatic in finding the best solutions while keeping costs under control.

In this context, managed service providers can help accelerate the process and streamline compliance efforts. As a third-party provider of strategic solutions, including integrated core banking systems, SBS supports its clients in navigating the evolving regulatory landscape. SBS has implemented dedicated support for managed services clients, ensuring compliance with DORA’s five pillars.

Image: Managed services help financial entities comply with DORA by optimizing costs and accelerating compliance © Getty Images
Managed services help financial entities comply with DORA by optimizing costs and accelerating compliance © Getty Images

What are the benefits of relying on SBS managed services?

At SBS, DORA is seen as an opportunity because our solutions and services enable clients to control the costs of building cyber resilience. SBS offers:

1. A comprehensive information system (IS),always available and up-to-date.

Cyber resilience relies on continuous updates and strict version control. With close monitoring of versioning policies, SBS ensures the latest technological innovations are integrated, offering advanced features like API portals. Network and connectivity security are enhanced to ensure optimal performance and long-term infrastructure sustainability.

2. Regulatory compliance at controlled costs.

Through a strong partnership with Sopra Steria Group, SBS provides leading cybersecurity services that ensure compliance with DORA, ISO 27001, and GDPR—while keeping costs in check. Combining deep expertise in cyber resilience and regulatory frameworks with advanced security services like vulnerability and penetration testing, SBS helps protect sensitive data and boost customer confidence in an increasingly digital world.

3. Total cost of ownership (TCO) optimization.

SBS specializes in optimizing TCO: by pooling IT resources, companies can streamline the costs associated with security assets while scaling to meet growing needs, helping businesses maximize their investment in cybersecurity.

4. Strategic execution.

By controlling operational risks and eliminating technological instability, SBS ensures the efficient execution of financial institutions’ strategies. This involves resource sharing, simplifying skill acquisition, and upgrading technical infrastructures.

SBS’s managed services help financial institutions achieve operational resilience, securely transform banking operations, comply with new regulations at controlled costs, and optimize risk management—freeing up teams to focus on strategic priorities.

Conclusion

DORA regulations are based on the goal of achieving sustainable operational resilience. This transition goes hand-in-hand with the search for more flexible models, such as managed services, representing a shift toward solutions better suited to the needs of businesses that must optimize both risk management and operational efficiency. In this context, DORA is more than just a regulatory requirement; it is a proactive opportunity for transformation, pushing financial entities to modernize their systems, move beyond standardized models, reduce long-term costs, and enhance their competitiveness.

François Péchard

ISO (Information Security Officer) Cloud Operations

SBS