The Digital Operational Resilience Act (DORA) is looming, less than one month away, and banking remains one of the top five sectors hit hardest by outages, according to Downdetector data. In fact, nearly a million outage reports were made about UK banking services in the first eight months of the year via Downdetector UK. The highest volume of reports was made up of the large, traditional banks, highlighting the challenge financial service providers face in keeping up with the demands of digital service provision that consumers have grown to expect.

Whilst only a third of organisations are confident in their ability to meet DORA’s regulatory expectations by January 2025, the industry has recognised the importance of digital operational resilience, and banks are working hard towards DORA compliance. Clearly, there is work to do.

Understanding DORA

DORA is a new EU regulation that holds financial institutions (FIs) and their digital technology suppliers to higher standards regarding cybersecurity. The regulation, which will be enforced from January 17th 2025, requires banks to fortify their IT security to guard against cyber attacks and outages more robustly. The need for financial firms to mitigate risks from third-party tech vendors has become even more pronounced following the faulty CrowdStrike software update that saw multiple banks, payment firms and investment companies unable to deliver services to customers for several hours.

As part of this fortification process, firms must thoroughly assess risks both internally and with third-party IT providers. These providers are often responsible for critical operational functions and will be held to the same standards as the firms themselves to guarantee resilience.

Failure to comply can result in fines of up to 2% of a bank’s annual global revenues. Providers will also be liable to pay up to 1% of their average daily global revenues in the previous business year.

The banking industry is susceptible to outages

Between January 1st and August 31st of 2024, Downdetector received more than 854,000 outage reports about UK banking services, putting banking in the top five sectors worst affected by outages.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

The banking industry is highly susceptible to outages due to its reliance on interconnected digital systems and numerous third-party vendors. With vast networks of financial, personal, and regulatory data moving between these systems, even minor software glitches or infrastructure failures can trigger widespread service disruptions. As traditional banks increasingly adopt cloud technologies and digital platforms to compete with neo and challenger banks, they face further vulnerability points where outages could impact millions of users simultaneously.

The CrowdStrike outage in July this year has highlighted the increasing need for more robust regulations like DORA. This incident affected FIs significantly, including Visa, which received more than 64,000 user reports on July 19th compared to its typical daily average of just 1,500.

DORA’s required (and more rigorous) assessment of third-party IT providers would help reduce the likelihood of outages like the Crowdstrike outage, and non-compliance would have fallen under DORA’s jurisdiction, potentially landing hefty fines on EU banks. DORA’s standards would likely have required CrowdStrike to implement stronger safeguards and contingency plans, enabling faster detection and recovery, as well as ensuring that FIs can continue critical operations even during disruptions.

DORA compliance is a priority, but change is still slow

While the majority of FIs have a dedicated DORA program in place, changing vast and complex systems takes time. With less than a month to go, is change happening fast enough?

A recent McKinsey report found that only a third of FIs are confident in their ability to meet DORA’s regulatory expectations by January 2025, and 100% of surveyed organisations face uncertainty regarding DORA in some capacity. This is mostly around the scope of its requirements and their ability to meet them in time. Implementing such comprehensive risk management, especially for third-party providers, can be a lengthy process, so it’s no wonder that FIs are falling behind.

However, banks are working hard to make up ground, with the same McKinsey report finding that over 40% of participant organisations have eight or more full-time employees dedicated to preparing for DORA. In fact, DORA was found to be a board-level agenda item in many cases, so it is clearly a priority for FIs.

Santander even included a section on DORA in its 2023 Disclosure Report which indicated its focus on incident classification and third-party policy. However, the UK bank saw over 80k outage reports in the first eight months of 2024, suggesting that implementing the policy changes has been challenging.

Is the industry ready for DORA?

So, will the banking industry be fully compliant with DORA’s regulatory expectations by January 2025? The simple answer is no, but change is coming. Banks will likely continue working on DORA into next year, but DORA is already doing its job; the industry has recognised the importance of digital operational resilience, and the wheels of change are in motion.

Chip Strange is Chief Strategy Officer at Ookla