This article is a free excerpt from inCOMPLIANCE, ICA's bi-monthly, member exclusive magazine. To gain access to more articles like this, sign in to the Learning Hub or become a member of ICA.
A worrying number of firms report that they fall short on data resilience. Martin Nilsson explains what they can do.
Nearly a year has passed since the EU’s Digital Operational Resilience Act (DORA) came into force, yet for many firms, compliance with its dictates has not been easy. Designed to ensure banks, insurers, asset managers and other financial institutions can withstand ICT-related disruption, DORA has in fact exposed a troubling reality: for most organisations, long-term resilience is still out of reach.
Recent research has 96% of firms admitting that their current levels of data resilience fall short, while 41% claim that their IT and security teams are under increased stress since DORA came into effect. This is concerning given the costs of operational failures. In the UK alone, banks have paid out £12.5 million in compensation for IT outages over the past two years.
In financial services, resilience is mission-critical, protecting not just revenue but also brand integrity and reputation.
Resilience starts with APIs
Financial services are only as resilient as their weakest API (application programming interface). In today’s financial systems, APIs do the heavy lifting behind every trade, balance sheet and payment. But when performance dips, even just slightly, then efficiency, trust and profit are at stake.
Consider this real-world scenario. A FinTech integration with a market data provider seemed healthy, but latency crept from 50 milliseconds (ms) to 200ms. Execution logic slowed, slippage increased and detection lagged by minutes. That’s not a policy issue – that’s an operational failure.
The lesson for firms is clear: monitoring uptime is no longer enough. IT leaders need full-path visibility into API latency, including external providers, and systems capable of pinpointing when performance degradation crosses the threshold into compliance territory.
Financial services are only as resilient as their weakest API.
The supply chain factor
High-profile incidents over the past year or so have shown that a single cloud outage can paralyse entire sectors. One only has to look back to July 2024, when the infamous CrowdStrike outage disrupted everything from air traffic systems to online banking. Yet for many organisations, the dashboards during this attack still showed ‘green’. More recently, attackers exploited a compromised integration between Salesloft and Drift, which allowed malicious emails to be sent through trusted platforms and impacted over 700 companies. These examples should serve as a strong reminder that exposure to vulnerabilities extends far beyond a firm’s own systems.
For heads of IT operations, the question is not whether your own tenancy is healthy, but whether you can detect region-wide failures before your customers do. DORA’s ICT dependency mapping requirements underline this. Resilience depends just as much on understanding and monitoring the wider supply chain as it does on your own cloud services.
Third-party accountability
Another challenge lies in third-party dependencies. The CrowdStrike outage revealed how quickly a vendor failure becomes your business problem. Under DORA, firms cannot outsource accountability – regulators will hold you responsible for third-party vendor resilience.
That means embedding resilience standards directly into vendor contracts, with escalation chains and SLAs (service-level agreements) that provide assurance long before regulators come calling. Continuous monitoring of vendor performance and documented evidence trails are now critical regulatory requirements.
Building a DORA-ready playbook
To meet DORA’s standards and build lasting resilience, IT leaders should focus on five critical actions.
- Monitor API latency, not just uptime. Compliance demands accurate incident detection and reporting. Latency blind spots can turn into regulatory breaches.
- Map full ICT dependencies, including cloud and vendors. DORA requires firms to demonstrate comprehensive dependency visibility – going beyond ‘green’ dashboards.
- Enforce vendor SLAs and escalation chains. Accountability must be contractual, not assumed. Ensure third-party governance aligns with regulatory reporting needs
- Maintain granular incident logs and evidence trails. If you can’t prove your response with documentation, regulators will assume you didn’t meet requirements.
- Formalise and rehearse third-party incident response (IR) playbooks. Resilience must extend across the supply chain, with IR procedures that are tested and auditable.
The CrowdStrike outage revealed how quickly a vendor failure becomes your business problem.
Resilience as strategy
For IT and operations leaders in financial firms, DORA has been a wake-up, reiterating the need for continuous visibility, accountability and proof of resilience. It has further underlined why these tasks cannot simply be summarily ticked off. They form part of a mandate that demonstrates that operations can stay online in an industry where even a second of downtime can have major widespread consequences.
This means equipping IT teams with the tools and discipline to measure, explain and prove resilience before things go wrong.
Those who treat DORA as a strategic opportunity will sidestep regulatory risk, strengthen trust, improve customer confidence, and reduce the likelihood of costly outages and damaging headlines. Those that do not have been warned.
About the author
Martin Nilsson is Chief Product Officer at ITRS, with over 20 years' experience of B2B software and financial services technology. Prior to joining ITRS he led global product management and quality assurance at Itiviti, and has held chairman posts at Codic Consulting, Software Skills and Future Skills.