DORA: Table Stakes or Strategic Investment?

Over half of Europe’s banks got hit by cyberattacks last year, spotlighting the urgent need for the Digital Operational Resilience Act (DORA) to fortify organizations against digital disruptions. This article delves into how DORA is not just a regulatory necessity but a potential key for unlocking operational resilience.

By the second half of last year, more than 50% of European banks had fallen victim to at least one successful cyberattack, while 84% of critical service downtime was linked to change and software issues.1 Whether you are the head of a retail bank, a CFO, CTO, CIO, CISO or a platform engineer within a financial institution, these complex challenges are likely familiar.

 

Set against the backdrop of an intensifying threat landscape, the Digital Operational Resilience Act (DORA) came into force on 16 January 2023, and will apply as of 17 January 2025. DORA is a European regulation designed to address the need for a robust operational resilience strategy, consolidating key features like governance, ICT risk management, digital resilience testing, incident management and third-party risk management.

 

While some financial industry players may see DORA simply as a license to operate, others are recognizing the strategic advantages of a comprehensive, structured approach to limit system disruptions. Crucially, the true benefits of DORA can only be unlocked when the right approach to resilience is taken, and key challenges are overcome.

 

1 ECB – IT and cyber risk –key observations 2023

 

Why many face DORA failure

 

Operational disruptions, reputational damage, financial losses, and increased exposure to cybersecurity threats are key risks associated with hasty, one-off compliance efforts. For those that take a comprehensive approach, the benefits include enhanced resilience planning, better communication, faster incident response and optimized tech infrastructure.

 

A variety of challenges must be addressed thoroughly by organizations if they are to successfully adopt DORA, including:

 

  1. Treating DORA as a one-off compliance exercise. By failing to integrate operational resilience in your overall business strategy, you are neglecting an indispensable strategy and missing out on the benefits that DORA has to offer. Too often we see organizations treating compliance with these regulations as a “must do”, without properly thinking through how the underlying principles of these regulations could contribute to the overall achievement of their strategic goals such as e.g. improved customer experience.

  2. Unclear roles and responsibilities across departments. If DORA is treated like an IT regulation rather than an enterprise-wide regulation, communication between various departments cannot be adequate. Non-IT board members need to be aware of what is at stake to set the right tone from the top down, especially with technology being at the heart of banking operations today. While we have observed an increase in IT expertise at board level, the current representation is still not sufficient to drive organization-wide alignment. This was also recognized by the 2020 ECB’s SREP results, which indicated a higher success rate of cyber-attacks and system downtime in cases where less than two board members have appropriate IT expertise.

  3. Difficulty when integrating DORA requirements within existing systems. Tightly interwoven legacy systems often require extensive and costly change to accommodate for DORA requirements. Accelerating the modernization of legacy environments will be key. We see many organizations, and – especially banks, still reluctant to modernize due to the risks and costs involved. This remains the case in spite of the potential to achieve a more flexible, modular and resilient architecture. Players can achieve this by sharing risk across different systems and components, as opposed to relying on single monolithic systems.

  4. Inappropriate scoping of entities and critical business functions. Lacking a thorough understanding of regulatory requirements, combined with poor collaboration among the different entities involved, is a major stumbling block and may eventually expose you to risks you are not aware of. For example, a leading European insurance player was initially not including smaller subsidiaries in the scope of its risk management and resilience efforts. This was being done to limit the efforts of the largest group entities, without realizing that this could jeopardize overall security.

To tackle challenges like these holistically, a dedicated approach is needed that views digital operational resilience as more than just compliance. Resilience is also about building competitive advantage that can withstand the challenges of tomorrow’s financial services landscape, and should incorporate financial and organizational resilience matters as well.

 

 

 

 

Unlocking business value through foundational capabilities

At a minimum, robust digital resilience capabilities must be implemented in the following areas to achieve enhanced business value:

 

  1. Governance & Organization: Business and IT functions need to collaborate, be educated, and ensure proper strategy setting.

  2. Risk & Control: Existing risk and control functions need to be strengthened, especially with regards to critical business functions determination and tolerance setting.

  3. Technology: Resilience should be woven into IT systems, data, and infrastructure.

All financial organizations need to develop these foundational capabilities within while working towards integrating industry best practices. Doing this will help with the identification of commonalities across different regulations, enabling you to leverage the right best practices and become an operational resilience leader.

 

The exhibit below represents an overview of digital resilience capabilities that are well aligned with the DORA requirements. This example features a detailed list of capabilities that can be used to self-assess your organization’s level of digital operational resilience.

 

 

 

 

 

 

 

 

To support the building of these foundational capabilities, there are key levers to consider in each critical area. When it comes to technology, two key levers are considered critical for success to further embed resilience within your organization:

 

The first lever is the implementation of Site Reliability Engineering (SRE), which elevates both system resilience and performance while embedding key principles that surpass basic compliance. This is particularly relevant when embedding IT resilience at the core of your organization, making it an indispensable part of your wider IT strategy. SRE involves a number of key principles that align well with the DORA requirements at a high level, while also equipping you to look beyond mere compliance.

 

 

 

 

 

 

 

 

When working with clients, we have seen this lever significantly boost resilience, efficiency, and the speed of digitization efforts:

 

 

 

 

 

 

 

 

As second key technology lever we see our clients using frequently is the decoupling of data layers from existing legacy systems. This enables them to significantly enhance their monitoring and reporting capabilities and become better equipped to properly identify where resilience challenges occur. This lever is also beneficial for reporting on resilience levels to senior management and regulatory bodies.

 

Decoupling is especially beneficial when it comes to the integration of new regulatory requirements, as you are able to apply them on a more modular, flexible architecture. BCG’s own methodology on decoupling data from core platforms has helped our clients to accelerate lead-times, generate savings and become more agile.

 

The accelerated pace unlocked by these levers empowers teams to deploy resilience capabilities more effectively, while tapping into greater capacity to develop differentiating engineering capabilities in-house. As a result, time to value and overall competitiveness are significantly enhanced:

 

 

 

 

The verdict

 

So, table stakes or a strategic investment? While DORA is necessary for regulatory compliance, operational resilience can only truly be unlocked by taking the right approach to implementation. As financial services players navigate today’s dynamic environment and complex threat landscape, achieving robust operational resilience will undoubtedly be a competitive differentiator.

 

Want to find out more about the levers highlighted in this article? Please reach out to our team below!

 

About the Authors

Alexandre Aractingi

Managing Director and Partner
Paris, France

Alexandre is a Managing Director and Partner at BCG. He focuses on Technology Advantage topics, mainly for the Financial Institutions and Telecom spaces. Prior to joining BCG, Alexandre worked for Net-tone / Active Telecom for 5 years, as lead Network Architect. Alexandre graduated from Telecom Paris in 2000.

Pieter Himpens

Managing Director and Partner
Brussels, Belgium

Pieter is a Managing Director and Partner at BCG Brussels. He focuses on Strategy, Target Operating Model design and large scale Transformations in the Banking and Insurance space across Europe. He holds an MBA from Chicago Booth and two MSc degrees from KU Leuven.

Tim Pieters

Associate Director
Brussels, Belgium

Tim is Associate Director at BCG Platinion in Brussels, leading digital transformation projects in data, cloud, and GenAI, with a key focus on Finance Institutions and Insurance. Before joining BCG in 2019, he managed large outsourcing sales engagements at IBM Europe. Tim holds two master’s degrees from KU Leuven in Electronics Engineering and Industrial Management.

Robin Blondeel

Manager
Brussels, Belgium

Robin is a Manager at BCG Platinion with over 10 years of experience in IT strategy, program de-risking, and governance, risk & compliance (GRC), primarily in the financial services industry. Before joining BCG, he was a senior manager at EY, leading their Belgian GRC activities. Robin has a strong understanding of IT regulations affecting financial services (e.g., DORA, EBA/ESMA/EIOPA guidelines).