Discover the Alliancy's latest editorial 👉 Shadow IT and digital resilience: SaaS Management on the ExCom agenda


Navigating DORA Regulations for Financial Entities

In recent years, the risks associated with IT incidents, such as cyber-attacks and data breaches, have increased in both frequency and severity, driven primarily by the rapid expansion of software as a service (SaaS).

This has notably broadened the risk exposure surface, especially for big corporations.

In response to these escalating threats, governments across the EU have had to introduce strict regulations. The aim is to mitigate cyber risks, protect personal data, and ensure business continuity.

  • SaasManagement

In December 2022, the European Parliament adopted a specific regulation, DORA (Digital Operational Resilience Act), for the financial sector to streamline and strengthen digital operational frameworks across EU member states.

Far from being just another regulation, DORA serves as a comprehensive consolidation of all existing standards (EBA, ACPR, NIS2, etc.). It requires financial entities to better manage their outsourcing activities and evaluate the security risks of new IT solutions thoroughly.

In 2021, 50% of the leading banking institutions in the Eurozone reported being the target of at least one successful cyberattack, according to the European Central Bank in 2022.

Simultaneously, IT teams are confronted with a complex challenge: balancing the security and compliance of the Information System (IS) with the need for autonomy and innovation needs of the Business Units (BUs). The goal is to create a strong and clear IT governance framework that addresses these risks.

Understanding the DORA Regulation

DORA is a European regulation adopted on December 14, 2022, set to come into effect on January 17, 2025. It aims to fortify the financial sector's operational resilience against the growing threats of digitalisation and cybercrime. This regulation is binding for all financial institutions within the EU, striving to standardise and consolidate the existing national regulations through a detailed, comprehensive framework on ICT risk management and the security of networks and IS across the EU.

DORA compels European financial entities to adopt proactive measures against challenges brought by digitalisation, automation, SaaS, generative AI, and more. The intention is to transition from an IT risk management approach to a broader strategy focused on digital resilience.

For DORA, “financial entities” are credit institutions, payment and e-money institutions, investment firms, capital management companies, insurance/reinsurance companies, and others. The list of the entities concerned can be found here.

To comply with DORA's directives, financial institutions and their third-party partners are required to implement and document a set of measures concerning their Information Systems and the technologies used.

DORA's Key pillars

Dora Chapters

This article focuses on DORA’s Chapter 5: managing ICT third-party risk.

Identifying and supervising ICT service providers is crucial because they will face more direct oversight by European authorities.

Consequently, financial entities are required to maintain a comprehensive registry of all third-party providers, including those considered non-risky, to readily report them to regulators when needed.

This registry should also be industrialised through sustainable internal processes, including:

  • Maintaining an annual and up-to-date list of all ICT providers, detailing contracts, due diligence efforts, audits, and exit strategies, and distinguishing between providers of critical functions and others.

  • Defining a strategy for managing risks associated with third-party providers and establishing an enhanced monitoring framework for critical providers, which includes additional contractual terms, performance and penetration tests, and a precise identification of the subcontracting chain.

This central chapter of risk management related to third-party providers makes it mandatory for financial institutions to record, classify, and declare all suppliers. As third-party services, SaaS providers are specifically targeted and must be monitored and referenced company-wide.

The DORA regulation intensifies the pressure on financial entities; every solution used must be catalogued, understood, and reported. It is crucial to take action now and develop a compliance plan for DORA by 2025. This represents a particularly pressing challenge for financial entities, especially since many lack a complete overview of their IT environments, notably with SaaS applications, a point underscored by the ACPR's focus on "inadequate management of Shadow IT.”

The ACPR Highlights “Persistent Gaps in Shadow IT Management.”

The ACPR's 2022 report on the security management of IS within France's insurance sector observed that insurers' identification of undeclared tools has not improved since the 2019 study.

"The risks associated with 'Shadow SaaS'—applications not managed by the IT department—are still largely overlooked (only 37% of respondents) in operational risk management,"
according to the ACPR.

Hence, insurers must urgently implement measures to align with the DORA regulation’s requirements.

ACPR Report
Source : ACPR Analysis and Summaries of °145 – 2

Tackling Shadow IT is no longer an option but a necessity for IT teams, especially financial entities. The IT department must implement a more flexible and agile policy to catalogue all applications used across the organisation.

To stay compliant, it's essential to create and maintain a well-structured, organised, and continuous list of all suppliers.
Additionally, it is crucial to actively manage the introduction of new tools to prevent the emergence of unauthorised shadow solutions. Consequently, establishing a robust governance framework emerges as a top priority for CIOs. This framework enables business units to continue using their preferred tools while ensuring the security of the Information System (IS) and compliance with the regulations in place.

Beamy icon colour