Decoding DORA for FinTech Operational Resilience: 5 Areas of Focus

For FinTech customers, the impact of The Digital Operational Resilience Act (DORA) can be significant and multifaceted, offering both direct and indirect benefits. 

DORA is a regulatory framework enacted by the European Union aimed at enhancing the operational resilience of the financial sector against cyber threats and other risks.  

Its primary focus is ensuring that all participants in the financial market, including banks, insurance companies, and FinTech firms, can withstand, respond to, and recover from technology-related disruptions and threats.  

Let’s take a closer look at the positives. 

  1. Enhanced Security Measures 

  2. Improved Service Continuity 

  3. Encouragement of Technological Innovation 

  4. Standardisation Across the EU 

  5. Increased Transparency 


ONE: Enhanced Security Measures:  

DORA requires financial entities, including FinTech companies, to establish and maintain robust digital operational resilience frameworks.  

But what does this really mean for those affected the most? 

FinTech customers can expect higher standards of cybersecurity, reducing the risk of data breaches, financial fraud, and other cyber-related threats. This has a halo effect on the User Perception  and drives an organisation can fortify security of its digital payments operations. 

When dealing with payments, it's important to focus on the security of cloud payment data (during transmission, in use and at rest i.e in storage and explore the role infrastructure like adjacent Hardware Security Modules (HSMs) can play in securing your customer’s most valuable data.  

Pay attention to your organisation's encryption key management by regularly reviewing and updating the process. Simply put, ‘make sure you know where all your keys are and who has access to them’. In the dynamic digital environment, where skills shortages are compounded by staff turnover,  having organisational governance & assurance processes as well as organisational policy are critical to compliant operations. Seeking external specialist skills can help manage your HSMs effectively and easily, while maintaining control. 

‘make sure you know where all your keys are and who has access to them’ 

A2 Executive Team

This heightened control over key management not only bolsters security but also facilitates adherence to additional regulatory compliance standards, including PCI DSS version 4.0 and European regional data protection regulations, such as the UK Data Protection Act and GDPR. 

TWO: Improved Service Continuity:  

The DORA Act mandates that financial entities must be able to quickly recover and resume operations following an ICT (Information and Communication Technology) disruption.  

This requirement increases the emphasis on selecting FinTech services that are more reliable, designing to minimise downtime and ensuring that customers have consistent access to their financial services. 

In a Cloud–first world, what does this mean when many organisations have adopted a single Cloud strategy?  

Organisations need to weigh up the commercial benefit offered by Cloud providers for exclusivity, against the operational advantages of a multi-cloud approach.    

Multi-cloud gateways provide un-matched flexibility to ensure service continuity. They also empower organisations to utilise their HSMs across multiple public cloud and private environments, allowing for unparalleled flexibility and choice. 

This also means organisations can leverage the strengths of multiple cloud providers without sacrificing uniformity in cryptographic key management. 

Multi-cloud gateways enable a dynamic and adaptable approach to cloud infrastructure, facilitating migration and scalability across different cloud platforms. 

THREE: Encouragement of Technological Innovation:  

While DORA imposes strict requirements, it also encourages the adoption of advanced technologies to enhance operational resilience.  

This fosters an environment for FinTech firms to embrace innovation and implement cutting-edge solutions that could improve customer experience, security, and service efficiency. 

While this is all positive, be aware of the need to maintain your security posture for your most critical payments data. Hybrid solutions where cloud adjacent offerings for HSM compliance and security assurance that have direct cloud access may be considered the best of both worlds from a resilience and commercial Cloud enablement standpoint.  

Simply put - think about how you can ‘maintain your payments security posture in a dedicated environment, while you continue to innovate in the Cloud’. 

  • Consider Multi-cloud gateways, Cloud adjacent: 

    Infrastructure that enables multi-cloud gateway and provides redundant access that is seamless and fast for transactions and highly secure encryption key management migrations.  

    One notable advantage of deploying HSMs in a private cloud environment is the enhanced control and isolation it provides. In a private cloud, organisations have dedicated resources solely for their use, reducing the risk of shared infrastructure vulnerabilities and prioritisation issues for maintenance. 

    Crucially, this isolation extends to the storage and management of encryption keys, ensuring that sensitive cryptographic material remains within the confines of the organisation's controlled environment. 

  • Consider As-a-service consumption models:  

    Furthermore, consider as-a-service offerings to provide business model flexibility to pivot as needed. With many organisations preferring to reduce operating expenditure (OPEX) and making the most of Cloud-based offerings it’s not an either-or option anymore. Private Cloud services utilising Cloud adjacent infrastructure for payments can be accessed via as-a-service offerings, where an organisation may choose a dedicated Cloud without the Capital Expenditure (CAPEX) of infrastructure ownership. 

FOUR: Standardisation Across the EU:  

DORA aims to harmonise digital operational resilience requirements across the EU.  

For customers, this means a more consistent experience and level of protection when dealing with FinTech firms operating in different EU member states. It simplifies the regulatory environment for FinTech companies, potentially leading to more efficient and unified services across Europe. 

As FinTech's grow, it's crucial to have scalable solutions that uphold engineering integrity to align with DORA and regional data protection rules. The way you deliver in the market is just as vital as the initial design agreed upon during the exploration stages of your payments delivery model. Make sure your partners can accredit the infrastructure they use on your behalf and consider working with reputable global partners for a standardised and transparent approach. 

Take a closer look at how your data is handled in the Cloud and consider your organisation's need for data sovereignty. Ask your compliance team if your payments data is securely stored in dedicated environments across the EU. If you're not sure, just reach out to your public Cloud partners and ask for more details about it. 

FIVE: Increased Transparency:  

With DORA, FinTech firms are required to report major IT-related incidents to regulatory authorities.  

This regulatory requirement enhances transparency concerning operational risks and resilience within organisations. By obliging FinTech firms to disclose major IT incidents, customers gain access to more comprehensive information. This increased transparency aids customers in making informed decisions when choosing to engage with the services, as they can assess the operational reliability and risk management practices of the companies they entrust with their financial transactions. 

Ultimately, the emphasis on operational resilience is aimed at protecting consumers. By ensuring that FinTech firms have solid plans in place for dealing with cyberattacks and other disruptions, DORA helps safeguard customers' assets and personal information as well as bolstering the reputation of the industry as a whole. 

Our leaving thought 

While DORA introduces a range of obligations for FinTech firms across the EU, it is designed with the protection of the financial ecosystem in mind. For customers, the benefits include enhanced security, more reliable services, increased competition and innovation among FinTech's adhering to these high standards.  

Net result - better products and services, and enhanced trust in the financial ecosystem.

 

Let’s Connect


Who is A24?

Global Payments and Data Security Services Provider

At A24 we tackle complex and difficult to manage critical system challenges securely and compliantly. We’re an expert cloud adjacent business that has grown from our 2006 IaaS origins in Japan. Our unique technical capabilities have developed from A24’s 15+ year heritage of building, monitoring and managing highly engineered IT infrastructure.

Blog Author | Nick Delacamp

Regional President EMEA & US, A24

Previous
Previous

Securing Tomorrow's Payments: A24’s take on the ASEAN-Australia Summit

Next
Next

Exploring Japan’s Emerging Technology - Account to Account Payments