How considerably can operational failures in information and communication technology (ICT) threaten the stability of our interconnected financial system? The answer lies in the critical dependencies that now exist between financial institutions and their technology infrastructure. When ICT systems fail, the ripple effects can spread rapidly across borders, impacting multiple entities and potentially destabilizing the broader economy due to the high degree of interconnectedness within the financial sector.
In our hyperconnected financial ecosystem, ICT failures can cascade across borders, threatening systemic stability within moments.
The EU’s Digital Operational Resilience Act (DORA), which entered into force on January 16, 2023, aims to address these vulnerabilities with a compliance deadline of January 17, 2025. Financial entities have had approximately two years to implement comprehensive compliance frameworks—a timeline that has created significant transitional challenges across different sectors. Prior to DORA, there was an evident gap in regulation concerning operational resilience, which the legislation specifically targets.
As of the January 2025 deadline, European Supervisory Authorities can now impose substantial fines for non-compliance. These penalties are designed to be severe enough to drive organizational change. Organizations processing €50 million daily could face fines exceeding that amount for serious violations. Non-compliant institutions risk severe penalties of up to 2% of annual worldwide turnover or €10 million for major violations.
Beyond monetary penalties, non-compliant institutions face increased regulatory scrutiny, more frequent audits, and potential restrictions on business operations until compliance is achieved.
A particularly transformative aspect of DORA is its approach to third-party risk management. Financial institutions bear responsibility for conducting due diligence on critical ICT third-party providers, while regulators gain direct oversight powers over vendors designated as critical. This represents a significant shift in regulatory scope, extending supervision beyond traditional financial entities to the technology providers that support them.
DORA’s impact stems from its recognition that traditional capital allocation approaches fail to address operational resilience gaps in digital environments. By imposing standardized requirements for incident reporting, testing, and third-party oversight, the regulation aims to strengthen the entire financial ecosystem against technological disruptions. Effective implementation will require ITSM integration to connect service management platforms with essential business systems, eliminating information silos that could undermine compliance efforts.
The question remains whether institutions have adequately prepared for this new regulatory reality or if they face potential operational and financial consequences for falling short.
