Artificial Intelligence in CX Contact Center Customer Data, Insights & Analytics Customer Experience Customer Loyalty Customer Service Voice of the Customer
Artificial Intelligence in CX Contact Center Customer Data, Insights & Analytics Customer Experience Customer Loyalty Customer Service Voice of the Customer

Rules on digital operational resilience come into effect for EU financial sector

EU’s DORA regulation for the financial sector came into force on 17 January 2025

Add bookmark
Listen to this content

Audio conversion provided by OpenAI

CX Network
CX Network
01/24/2025
person doing digital banking on app

The European Union’s new regulation digital operational resilience for the financial services sector has now come into force, a little over four years after it was first proposed.

Specifically for the financial sector, the Digital Operational Resilience Act (DORA) came into effect on 17 January 2025 and to establish a framework for managing digital operational risks within the European financial sector.

DORA is a regulatory framework designed to strengthen the resilience against digital disruptions and applies to banks, insurers, investment firms and other financial institutions, as well as to key third-party service providers, including cloud computing services.

Although the measures were first proposed in September 2024 and were adopted by the European council in 2022, several major IT outages have occurred since, highlighting the strong need for such a regulation. Among the major IT outages that have severely impacted businesses in all in all industries and regions, is the July 20224 CrowdStrike outage. This was caused by a content update for Microsoft Windows hosts, which brought down more than eight million computers using Microsoft systems around the world.

The incident was estimated to have cost Fortune 500 companies more than US$5 billion and was not the first outage to cause widespread chaos.

In December 2022, TSB was fined £48.65 million relating to “operational risk management and governance failures”, including management of outsourcing risks relating to the bank’s IT upgrade program. The technical failures in TSB’s IT systems resulted in customers being unable to access banking services leading the bank to pay a further £32.7 million in redress to customers. CIO Carlos Abarca was fined personally.

Don't miss any news, updates or insider tips from CX Network by getting them delivered to your inbox. Sign up to our newsletter and join our community of experts. 

Jonathan Armstrong, partner at Punter Southall Law in the UK, says: “At its core is the recognition that financial systems across the EU are part of each country’s critical national infrastructure. Many financial services organisations rely on a few key services providers, meaning that an incident compromising one of those providers could have a significant effect on financial services across the EU.”

Although an important regulation for digital resilience, DORA has naturally caused concern among the financial services, tech and cyber security communities.

Armstrong says: “So it’s important for businesses to understand fully their responsibilities. Whilst DORA is an EU measure, operational resilience is high on the agenda for UK financial firms too, with operational resilience requirements introduced in 2022 coming into full effect in March 2025.”

Although DORA does not apply to to the UK financial services sector, it does apply to those that are also subject to the EU regime and in total is estimated to impact 22,000 entities.

What is the DORA regulation?

DORA isn’t entirely new. It is designed to consolidate and upgrade IT risk requirements through the financial services sector in the EU. This will standardize regulations by ensuring a wide range of financial services participants are subject to a common set of standards to mitigate ICT risks, including those posed by cyber security incidents.

It isn’t just about keeping financial services online during outages. DORA also covers supply chain resilience with requirements for:

  • Dedicated ICT risk management capabilities
  • Reporting of major ICT-related incidents
  • Digital operational resilience testing
  • Management by financial entities of ICT third-party risk
  • Information sharing among financial entities


Because so much of the IT infrastructure used in financial services is cloud based, the rules also extend to critical ICT providers, such as cloud service providers.

Armstrong says: “It is important to remember that the main DORA Regulation is binding legislation that is directly applicable in Member States after its entry into force. The DORA Directive will need to be transposed into each Members States’ national law.”

How businesses can adhere to DORA

Armstrong highlights that any organization in the DORA regime, or providing services to those that are, will need to consider how to meet their responsibilities under the new rules.

Whilst existing risk management and GDPR systems and processes can help, Armstrong implementation is still likely to be “a significant project for most”.
Armstrong says implementation should include the following key steps:

A gap analysis to focus on the work that needs to be done. This could include scope questionnaires for various parts of the business.

  • Training on operational resilience, which is likely to include the IT team, communications professionals and the compliance function.
  • Implementing processes and procedures to do horizon scanning and respond promptly to incidents. This is likely to include a review and testing of an organization’s incident response process.
  • Assessing skills and expertise among the board and senior management teams and recruiting to plug any gaps that emerge. 
  • Understanding the regulatory regime, including who the key regulators will be and how organizations will meet their obligations to keep them informed.
  • Looking at and assessing contracts to see whether it will be necessary to add a DORA addendum.
  • Mapping critical and important functions.
  • Robust testing of new processes and the measures put in place.

Armstrong also highlighted the specific actions both financial services business and third-party providers should take:

  • For financial services organizations: Working out key dependencies, mapping devices and storage locations etc. and ensuring that compliant contracts are in place with all third-party providers.
  • For third-party providers: Working out which key clients are likely to be in the DORA regime and anticipating the assistance they will need to comply. This could include white papers, FAQs or template responses.


Armstrong concluded: “Financial services firms are required to have in place sound, effective and comprehensive strategies, processes and systems that enable them adequately to comply with the applicable operational resilience requirements. Organizations should seek specialist advice to ensure they fully understand how DORA and the UK rules apply to them.”

Quick links

 

All Access: Voice of the Customer 2025

Join us to hear from industry leaders, innovators, and CX experts as they share insights, strategies, and tools for harnessing customer feedback to drive meaningful change. 

Register Now

 

Topics: Digital

Upcoming Events

Why NPS declines and how to fix it

04 February, 2025
Online

Register Now | View Event
Why NPS declines and how to fix it

All Access: Voice of the Customer 2025

February 18 & 25, 2025
Free CX Network Webinar Series

Register Now | View Event
All Access: Voice of the Customer 2025

State of Generative & Agentic AI

February 18
Online Event

Register Now | View Event
State of Generative & Agentic AI

CX USA Exchange

February 25 - 26, 2025
Fort Lauderdale, Florida, USA

Register Now | View Agenda | View Event
CX USA Exchange

Service Intelligence and 2025 trends: Modernizing your service operations with AI

26 February, 2025
Online

Register Now | View Event
Service Intelligence and 2025 trends: Modernizing your service operations with AI

Customer Contact Week Australia and New Zealand

March 04 - 06, 2025

Register Now | View Agenda | View Event
Customer Contact Week Australia and New Zealand
MORE EVENTS

Follow Us

         

Latest Webinars

Service Intelligence and 2025 trends: Modernizing your service operations with AI

2025-02-26
11:00 AM - 12:00 PM EST

Join this webinar to learn about the next phase of the AI revolution: copilots and Service Intellige...
Service Intelligence and 2025 trends: Modernizing your service operations with AI

Why NPS declines and how to fix it

2025-02-04
11:00 AM - 12:00 PM EST

How AI enables real-time insights and illuminates CX fixes
Why NPS declines and how to fix it

Discover the five trends CX Trendsetters are embracing to outpace their competition

2024-12-11
10:00 AM - 11:00 AM PST

Enhancing customer engagement by empowering service agents with AI collaboration
Discover the five trends CX Trendsetters are embracing to outpace their competition
MORE WEBINARS

RECOMMENDED

FIND CONTENT BY TYPE

CX Network COMMUNITY

ADVERTISE WITH US

Advertise Now

JOIN THE CX Network COMMUNITY

Join today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.

Become a Member Today
iqpc logo

CX Network, a division of IQPC

© 2025 All rights reserved. Use of this site constitutes acceptance of our User Agreement, Privacy Policy and Cookies Settings.

Careers With IQPC| Contact Us | About Us | Cookie Policy