Skip to main content
Understanding DORA’s vision for a resilient financial network

Understanding DORA’s vision for a resilient financial network

August 10, 2023

The Digital Operational Resilience Act (DORA) was not written with the solutions of a global payment network in mind. One look at its regulatory provisions suggests it might as well have been.

The suggestion is not for a payment network to shoulder DORA compliance on behalf of financial entities operating within its network. That would be a tall order even if the focus was purely cyber resilience. It is made taller still by DORA’s coverage of all operational risks associated with information & communications technology (ICT) and posed by the increasing interconnectedness of financial entities.

Rather, the suggestion notes DORA’s position that resilience may “by reason of its scale and effects, be better achieved at [European] Union level” and that payments have “moved from cash and paper-based methods” to digital solutions. DORA’s twin focus on scale, across the EU and beyond, and finance, notably payments, aligns well with the existing activities of global payment networks.

For example, at Mastercard we support financial entities by enabling secure payments and data transfers worldwide. Our digital operational resilience comes via a combination of strong customer authentication, risk quantification, breach & attack simulation, online exposure monitoring, and systemic risk assessment.

The combination is important. DORA notes how the EU’s financial sector is “regulated by a Single Rulebook and governed by a European system of financial supervision” while “digital operational resilience and ICT security are not yet fully or consistently harmonised.” The explicit call is for a harmonised framework, but the implicit suggestion is that the solutions should be harmonised too. A payment network’s solutions can help financial entities attain that harmony together.


Four distinct pillars, one “always on” solution

The four main pillars of DORA logically call for four solutions, and dedicated products exist for each of them to various degrees. But risk management, incident reporting, resilience testing, and third-party risk do not operate independently of one another. DORA addresses them together without interruption for good reason; providers of cybersecurity and other operational risk solutions might consider doing the same.

Payment networks are intimately familiar with the need to be “always on” via the stand-in processing they provide to banks to meet strong customer authentication (SCA) requirements during bank outages and downtimes.

Yet beyond payment authentication and authorisation, payment networks also continuously protect all data on their networks. That protection may cover transactions focused solely on credit card or real-time account-to-account payments, or it may incorporate other financial data via open banking or increasingly blockchain.

Ongoing cycles of cyber risk quantification allow payment networks to manage operational risks to their multi-rail networks and those faced by the financial entities they serve. This quantifiable approach to DORA’s first pillar takes cybersecurity beyond an arcade-game mentality of reactively plugging coins into a slot to stem a relentless onslaught of attacks. Internal customisation can then address specific business needs while external contextualisation provides support based on ever evolving dynamic threats.

Resilience testing via breach & attack simulations complements risk management by mimicking the behaviour of malicious actors. The simulations can run continuously within an organisation’s production environment to address DORA’s second pillar while business operations continue uninterrupted. They can also serve as a continuous validation system that monitors the effectiveness of security controls. The results provide enhanced data for risk management that in turn feed further resilience testing in virtuous cycles. Reports resulting from the continuous testing can then feed into incident reporting mechanisms for DORA’s third pillar as needed.

The fourth pillar, third-party risk, comes after risk management, incident reporting and resilience testing in DORA. The position seems not to be a reflection of importance but rather a recognition of how it underlies the other three pillars in a financial ecosystem.

Many financial entities, one financial ecosystem

Third-party risk is noted as the most challenging of DORA’s four main pillars in a Mastercard-sponsored survey of information & communication technology (ICT) risk teams in 20 financial entities across 20 EU countries between November 2022 and February 2023.

The challenge results from the emerging need for ecosystem resilience as third-party risk shifts from a “me versus them” mentality to a collective “us” that underlies all other aspects of cybersecurity. The overarching aim of DORA is to provide that ecosystem resilience to the EU and ideally worldwide.

From a global perspective, DORA does not require data localisation regarding handling data entering and leaving the EU. Still, DORA is not immune to the “Brussels effect”, which refers to the impact of EU legislation beyond its geographical borders.

More specifically in terms of DORA itself and third-party risk, articles 36 and 44 address activities by European supervisory authorities “outside the Union” and the development of best practices through “international cooperation”.

The scope means the ability of financial entities to address DORA depends on holistic solutions from providers, such as global payment networks, with partnerships spanning the financial ecosystem. The virtuous cycle of risk management and resilience can then further benefit from the economies of scale associated with a financial ecosystem replete with inherent third-party relationships. Dedicated approaches to third-party risk, such as monitoring online exposure and systemic risk, complement the network approach.


The letter of the law versus the spirit of the law

The Digital Operational Resilience Act sounds far more approachable under its personable acronym DORA. Financial entities in the EU and elsewhere will need to know DORA well by January 2025 when the enforcement goes live.

The Mastercard-sponsored survey suggests that financial entities will begin compliance implementation in mid-2023 after completing gap assessments. A comprehensive or “harmonised” package of solutions should help them come in on time.

Yet that help should go beyond the mere provision of connected solutions to meet compliance needs. DORA depends on more than just individual financial entities complying with the letter of the law. It also depends on financial entities recognising the need to come together across the financial ecosystem through a network approach.

Without that network, there will likely be a disconnect. An ironic result for an act designed to cater to an interconnected world.

Cihan Salihoğlu
Cihan Salihoğlu Advisors client services, Mastercard
Steve Brown
Steve Brown Cyber & Intelligence solutions, Mastercard

Related resources

Tile image 2 a business is known
A business is known by the companies it keeps: An ecosystem approach to cyber resilience

The “me versus them” mentality of standard third-party risk management (TPRM) approaches makes cyber resilience difficult to achieve. An ecosystem approach reorients that mentality around a collective "us.”

wargaming tile image
Wargaming: Stopping cybercrime by copying it

The story goes that when President Nixon’s team fed data into a computer to find out when they would win the Vietnam War, they were informed they had already won. The need for reliable simulations now pertains as much to armed combat as to cybersecurity.

poland banking sector report tile image
Cybersecurity insights for the banking sector in Poland

Banking, finance and insurance sectors are the top targets for attackers, accounting for every fourth attack in Poland. The good news is that Poland’s banking sector is one of the best in managing cybersecurity risks and the number of active cyber threat actors in Poland is decreasing.