Turning DORA compliance into a competitive advantage
As of January 2025, DORA, the Digital Operational Resilience Act, has come into force, with EU banks, insurers and other financial institutions required to align their operations with this regulation. When done right, DORA’s key themes – operational resilience, cybersecurity, and business continuity – can go beyond mitigating risk and be turned into drivers for competitive advantage and customer value creation. In this article, we explore actionable steps to turn DORA compliance into a business opportunity.
From Compliance to Customer Value
As AI becomes more prevalent, financial institutions are increasingly growing into tech companies. This is making them more scalable and accessible but at the same time vulnerable in new ways to financial crimes, among which cyberattacks and system disruptions. The ECB’s October 2024 cyber resilience stress test involving 109 banks points out many banks are not up to the task yet. Similarly, in December 2024, the U.S. Treasury Department reported a significant breach where Chinese state-backed hackers infiltrated its systems, accessing unclassified documents.
DORA addresses these risks head-on by requiring ICT risk management procedures, reporting, and testing. The EU’s push for digital resilience through DORA fits within a broader agenda for a stronger and more harmonised EU digital infrastructure and citizen-first financial services – with, for example, the upcoming FiDA (Financial Institutions Digital Adaptation) regulation requiring financial institutions to allow sharing of consumer data with third parties in a similar fashion as Open Banking.
After a cascade of European and regulatory changes in the last years, DORA offers an opportunity for a fresh, end-to-end review simplification and refresh of risk frameworks, an acceleration of digitising risk-prone operational processes, and an enhancement of third-party data sharing.
Next to simplification, such an end-to-end ‘fresh review’ approach can support the efforts of financial institutions to boost customer trust and play an active role in guiding their customers to grow their financial grip and protect themselves from cybercrime. DORA provides starting points for this with, for example, proactive communication protocols during system outages, data protection measures, and third-party digital resilience.
How to get started: Incremental improvements that lead to big results
An end-to-end DORA review DORA doesn’t have to mean a ‘big bang’ major overhaul. In a similar fashion to continuous improvement in digital customer processes or in the development of AI solutions, DORA implementation can follow a phased approach of testing, learning, and scaling. A second similarity is the importance of organising a DORA review and implementation as a cross-functional effort – combining risk and compliance expertise with insights from data and IT colleagues on technical feasibility and input from the business on how to set up DORA-driven improvements for business and customer value.
Early involvement of these different functions has proven to be the crucial factor for true simplification and business value from regulatory-driven efforts such as these. Third and finally, while technology plays a vital role, digital resilience in the end is about people and processes. Key focus areas are training employees on DORA’s requirements, reducing keyman risks in processes, and refining risk awareness and risk appetite to what constitutes threats today.
DORA-driven value creation across three horizons
As DORA does not live in splendid isolation, we recommend making DORA-driven improvements part of a three horizon business roadmap that differentiates short-term optimization from long-term but step-wise transformation and innovative future bets: We see work to be done on three horizons:
1. Optimizing what you already do: Refining existing operations in a continuous improvement effort to ensure they meet DORA’s standards. For example, enhancing current risk management procedures and implementing routine resilience testing to ensure the systems can handle disruptions without compromising service;
2. Transforming for the future: Streamline operations end-to-end, with digital resilience as one of the criteria, such as adopting AI-powered security systems that detect and mitigate cyber threats. These transformative efforts require a cross-functional setup;
3. Exploring disruptive ideas: Trailing new concepts in a separate sandbox or innovation lab, e.g., experimental AI-driven security and consumer privacy features.
By managing these horizons, financial institutions can simultaneously meet DORA’s immediate requirements and future-proof their operations.
Empowering people: The human side of Digital Transformation
While technology plays a vital role, digital resilience in the end is about people and processes. Key focus areas are training employees on DORA’s requirements, reducing keyman risks in processes, and refining risk awareness and risk appetite to what constitutes threats today. In this respect, DORA is an opportunity to refresh risk frameworks – removing what’s not relevant anymore in a joint effort between Risk, IT, and the business.
Ready for the next step?
At SparkOptimus, we help you transform your business to better navigate the ever-growing influence of digital and data. Let’s connect and discuss how we can help you strengthen your digital operations and stay relevant in a changing financial landscape.
