With the rapid digital transformation of the financial sector, operational resilience is no longer optional – it’s mission-critical. With the rise of cyber threats, complex regulatory requirements, and heightened reliance on Information and Communication Technology, financial institutions must ensure continuity, integrity, and security across all services and systems.
To provide deeper insight into this critical issue Dr. Ina Nikolova sat down with Albert Harz who is PATECCO’s special advisor and ISO 27001 Lead Auditor, to discuss what digital operational resilience means under the new EU regulatory landscape and how financial institutions can prepare to meet these evolving demands. His expertise provides practical guidance on the scope, responsibilities, and key challenges introduced by the Digital Operational Resilience Act (DORA).
Ina:
- What is digital operational resilience in the context of the financial sector?
Albert:
Digital operational resilience refers to the ability of a financial entity to maintain its operational integrity and reliability, even in the face of ICT risks such as cyber threats or even a cyber-attack. This entails guaranteeing the quality and security of the information and network systems used to provide financial services, even in the event of disruptions. It involves having the ICT-related skills required to handle possible problems either directly or through outside service providers in order to guarantee the ongoing availability of financial services.
Ina:
- Why is Digital Operational Resilience important for the financial sector?
Albert:
The financial industry relies heavily on information and communication technology (ICT) to support daily operations and complex structures. ICT risk is greatly increased by growing digitization and connectivity, which makes the financial system especially vulnerable to cyberattacks and ICT disruptions. Financial organizations, particularly those that operate internationally, face difficulties in effectively managing ICT risk and reducing the effects of incidents due to gaps, overlaps, and inconsistencies in the Union’s current regulations. Maintaining the integrity and stability of the financial industry as well as the ongoing operation of the internal market depend heavily on ensuring digital operational resilience.
Ina:
- What types of entities are covered by the new regulation on digital operational resilience?
Albert:
The regulation applies to a wide range of financial entities. This includes, but is not limited to, credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, insurance and reinsurance undertakings, credit rating agencies, and crowdfunding service providers. Importantly, it also applies to ICT third-party service providers that supply services to these financial entities.
Ina:
- What are the key requirements for financial entities regarding ICT risk management?
Albert:
A complete and documented ICT risk management framework must be established and maintained by financial entities. Mechanisms and steps for effectively and understandably managing ICT risk as well as safeguarding infrastructure and physical components should be part of this framework. In order to reduce the impact of ICT risk, entities must constantly monitor the security and functionality of all ICT systems, use robust tools and systems, and periodically review and update their risk scenarios. Additionally, they must keep track of and update inventories of relevant ICT assets on a regular basis.
Ina:
- How does the regulation address the testing of digital operational resilience?
Albert:
The regulation mandates a coordinated testing regime for digital operational resilience. All ICT systems and applications supporting critical or important functions must undergo appropriate testing at least once a year, according to financial entities other than micro-enterprises. These tests may consist of scenario-based testing, penetration testing, vulnerability assessments, and more. Additionally, at least every three years, specific financial entities that have been identified must perform advanced testing that simulates actual cyberthreats using threat-led penetration testing (TLPT).
Ina:
- How does the regulation address the risks associated with using ICT third-party service providers?
Albert:
The regulation establishes a framework for managing ICT third-party risk. A strategy on ICT third-party risk, including a policy on the use of ICT services to support critical or important functions, must be adopted and reviewed on a regular basis by financial entities. They are required to keep a record of the terms of their contracts with these suppliers. In order to address possible systemic risks resulting from concentration and dependencies, the regulation also establishes an oversight framework for critical ICT third-party service providers. Contractual arrangements with critical or important functions must include specific elements to ensure oversight and resilience, including exit strategies.
Ina:
- What is the Oversight Framework for critical ICT third-party service providers?
Albert:
The Oversight Framework is a mechanism for continuous monitoring of the activities of ICT third-party service providers that are deemed critical to financial entities. Through the Joint Committee, the European Supervisory Authorities (ESAs) identify critical ICT third-party service providers according to standards pertaining to their degree of substitutability, systemic impact, and the significance of the financial entities they serve. For each designated critical provider, a Lead Overseer is assigned to carry out evaluations and offer suggestions regarding ICT risk mitigation and management. The objective of this framework is to guarantee the stability and integrity of the Union financial system while addressing the systemic effects of ICT third-party concentration risk.
Ina:
- What are the consequences of non-compliance with the regulation?
Albert:
For violations of the rule, competent authorities have the authority to administer administrative fines and corrective actions. The degree of responsibility, the entity’s financial stability, the materiality and severity of the breach, and any prior breaches are some of the factors that determine the kind and extent of these measures. Violations of national laws may also result in criminal penalties for member states. If critical ICT third-party service providers disregard the Lead Overseer’s recommendations, they may also be subject to penalty payments.
Ina:
- Thank you for your insights and the summary of the topic.
Albert:
Thank you, Ina, for having me.
Key Takeaways
At PATECCO, we understand that digital operational resilience is not just about compliance – it’s about securing trust, stability, and long-term value for both financial institutions and their clients. With deep expertise in IAM, governance, and regulatory frameworks, we help organizations not only meet the technical demands of DORA, but also implement sustainable security strategies that strengthen business resilience. Stay tuned as we continue to share insights, success stories, and best practices on securing digital transformation in the financial sector.
If your organization is seeking a reliable IAM partner with the capability to act decisively and scale effectively, feel free to reach us out at info@patecco.com or call +49 (0) 23 23 – 9 87 97 96 .