On Jan. 17, 2025, the European Union’s Digital Operational Resilience Act (DORA) took effect, marking a significant shift in the cybersecurity landscape for the financial sector. Designed to strengthen cyber resilience, DORA imposes strict regulations requiring financial institutions and their critical third-party service providers to implement robust cybersecurity measures.
In effect, DORA requires financial entities across the EU to develop comprehensive information and communications technology (ICT) risk management frameworks, conduct regular resilience testing, and report significant cyber incidents to regulators. The regulation aims to harmonize financial cybersecurity standards across EU member states, ensuring that banks, insurance firms, and emerging crypto-asset service providers can withstand and recover from operational disruptions.
The European Insurance and Occupational Pensions Authority (EIOPA) announced that DORA aims to “strengthen the IT security of financial entities,” making the EU’s financial sector more resilient to serious operational challenges. Adding to this, the European Union Agency for Cybersecurity (ENISA) emphasized that DORA is now binding for all financial institutions, highlighting the regulation’s immediate and widespread impact.
Expanding beyond Europe: DORA’s global reach
While DORA applies solely to EU-based financial institutions, its impact extends beyond Europe’s borders. As a result, technology companies and financial service providers in Asia and North America are reassessing their cybersecurity frameworks with the aim of aligning them with DORA’s stringent requirements. Furthermore, major technology firms in these regions are anticipating adapting their governance frameworks and incident reporting mechanisms to accommodate the law’s extraterritorial reach.
In Asia, financial institutions are refining their ICT risk management strategies and conducting regular resilience testing to ensure compliance. For example, Singapore’s Monetary Authority (MAS) has taken proactive steps to strengthen operational resilience, issuing revised guidelines that closely align with DORA’s mandates. This reflects a broader global trend toward harmonized financial cybersecurity regulations, with the United Kingdom and the United States potentially adopting similar frameworks.
David Turmaine, head of international consulting at NEXT by Broadridge, underscores the urgency of improving cybersecurity resilience, stating, “It’s not a case of if. It’s not a case of when. Significant cyberattacks and ransomware are happening right now.”
The role of tech giants: Google, AWS, and Microsoft Azure
DORA’s enactment also puts cloud service providers like Google Cloud, Amazon Web Services (AWS), and Microsoft Azure under increased scrutiny, as they play a critical role in financial sector operations. Since the regulation applies not only to financial institutions but also to third-party ICT service providers, these companies must comply with its cybersecurity and risk management requirements.
In response, Google Cloud has been strengthening its financial sector compliance solutions, emphasizing zero-trust security models, AI-driven threat detection, and multi-cloud resilience strategies to align with DORA’s mandates.
AWS, a dominant cloud provider for financial institutions, has reinforced its security compliance framework by introducing automated resilience testing and enhanced encryption protocols to align with DORA and other cybersecurity regulations. Meanwhile, Microsoft Azure has prioritized regulatory compliance by offering financial entities advanced cybersecurity tools, including cloud-native threat intelligence and incident response automation, to help meet DORA’s requirements.
Under the new regulation, these tech giants must now include mandatory cybersecurity provisions in their contracts with financial institutions, ensuring greater accountability and oversight in managing third-party risks.
Challenges and industry response
Despite DORA’s benefits, compliance presents significant challenges, particularly for smaller financial institutions that may lack the resources to meet its complex requirements. Legal experts warn that litigation risks could increase, especially when financial firms rely on non-EU third-party ICT providers that fail to meet DORA’s standards.
Additionally, aligning DORA with existing cybersecurity regulations—such as the General Data Protection Regulation (GDPR) and the Network and Information Security Directive (NIS2)—requires careful coordination to avoid regulatory conflicts.
ENISA has also highlighted the cybersecurity skills gap as a critical challenge, warning that a shortage of trained professionals could hinder DORA’s effective implementation. The agency stated, “The skills gap is acute, and it’s really important,” stressing the need for financial institutions to invest in cybersecurity training and workforce development.
A proactive future for financial cybersecurity
DORA represents a proactive step toward securing the EU’s financial infrastructure, setting a global precedent for cybersecurity regulations in the financial sector. As financial institutions and technology providers adjust to this new regulatory landscape, prioritizing resilience, incident preparedness, and collaborative cybersecurity efforts will be crucial.
With cyber threats becoming more frequent and sophisticated, DORA’s implementation marks a new era in financial cybersecurity—one focused on stronger digital defenses, regulatory harmonization, and global cooperation. As the world observes DORA’s impact within the European Union, other regions may follow suit, establishing a new global standard for financial sector cybersecurity.
