The EU’s new Digital Operational Resilience Act enforces strict ICT risk management to enhance system resilience. Jeremy Hughes explores how the new Act proposes to prevent disruptions, ensuring stability in an increasingly interconnected financial landscape


On 19th July 2024, the acronym BSOD achieved global notoriety, leaping from a relatively obscure IT abbreviation to a front-page buzzword. The Blue Screen of Death became infamous when 8.5 million Microsoft Windows users worldwide experienced a global outage triggered by a faulty update from CrowdStrike, one of the largest global systems security vendors. Services went offline in the US, the UK, Europe and Asia, and emergency hotlines, airlines, hospitals and financial organisations experienced severe interruptions to the digital services that underpin their operations.

CrowdStrike later traced the fault to an update of its Falcon IT security software. While the total cost resulting from the outage would be virtually impossible to quantify, estimates of the global damage approach US$10 billion, with the cost to US Fortune 500 companies alone pegged at US$5.4 billion. The healthcare sector was hit the hardest, with losses estimated at £4.2 billion, while banking sector losses reached around £900 million.

The broader financial industry felt the shockwaves of the outage profoundly. Banks faced delays in processing transactions, with some reporting disruptions in online banking and ATM services. Thousands of financial transactions, especially in stock trading and foreign exchange markets, failed. Trading platforms encountered delays and crashes, contributing to market instability and financial losses. Employees at major financial institutions found themselves unable to log into critical systems.

In the EU, the outage seemed almost serendipitous, striking as financial institutions and key third-party providers rushed to finalise systems upgrades in compliance with the Digital Operational Resilience Act, which ultimately came into force on 17th January this year. The experience of a systemic interconnected failure underscored the importance of the new legislation, validating the EU’s mission to introduce robust resilience standards.

Simon J McMenemy, managing partner at law firm Ogletree, Deakins, Nash, Smoak and Stewart, says: “DORA applies to financial entities operating within the EU and the critical third-party technology service providers supporting them, including those outside the EU. Under DORA’s mandate, financial market participants are subject to strict and complex requirements for various aspects of ICT risk management. These obligations range from reporting and incident management to resilience testing and third-party risk management.”

DORA introduces uniform obligations to enhance robustness across ICT infrastructure in EU member states, extending to critical third parties, including cloud platforms and data analytics providers. It mandates organisations to ensure resilience by withstanding, responding to and recovering from ICT incidents to maintain critical functions and minimise disruptions. Achieving this requires robust controls, effective business continuity plans and continuous testing of systems, tools and third-party services.

High stakes

What made the CrowdStrike outage so contagious was the complex interconnectedness of global information and communication technology. Financial networks have grown rapidly since the 2008 Global Financial Crisis, and the stakes are high; according to the European Commission, by 2023, the total financial assets of financial corporations in the EU were valued at £712 billion (US$896,169 billion).

But this is just part of the story: EU capital markets are still relatively underdeveloped. Consultancy Oliver Wyman notes that between 2016 and 2022, Europe’s equity capital market capitalisation increased from 48 per cent as a share of GDP to 66 per cent, while the US equivalent increased from 104 per cent to 157 per cent. Liquidity of equity markets (as measured by turnover velocity) decreased from 68 per cent to 52 per cent in Europe, while it stayed at 145 per cent in the US over the same period. Greater integration across national borders through technical linkages provides the opportunity to boost the EU’s markets to resemble the more developed US model.

Indeed, financial services are a central plank of the EU’s strategy to complete its internal market under the free movement of services and capital. And financial integration is a cornerstone of the Union’s broader economic strategy: fostering a seamless and competitive financial system supports economic growth, innovation and stability, benefiting businesses, consumers and member states. Technology offers powerful ways of promoting markets integration by fostering greater access, scale and liquidity.

The pandemic accelerated this trend, as financial institutions increasingly depend on digital systems to support remote operations. And the opportunities offered by big data and artificial intelligence have driven a proliferation of cloud services hosted on servers concentrated in massive farms – each of which represents a concentration of risk.

Material hazards

When considering these risks, the spectrum affecting today’s complex ICT networks is broad and multifarious. Analysts and solutions providers must tackle a laundry list of hazards, both inherent in existing systems and lying ahead from future developments, internal and external.

For many firms, early adoption of technology in the last century has a sting in the tail: outdated or obsolete hardware and software that remain in place, compounding the risk of malfunction. A Financial Conduct Authority study reveals that legacy technology continues to underpin the UK financial services sector, with some 92 per cent of firms still reliant on outdated systems. Many of these companies juggle hundreds of software applications, far exceeding the average of 130 used by organisations across all sectors.

These disparate systems generate data in various formats, leaving IT teams with the daunting challenge of integrating them into a cohesive, functional whole. In addition – as in the case of CrowdStrike – dependence on third-party providers introduces risks if their systems fail, while emerging technologies like IoT and AI may create unforeseen security gaps. Increasing reliance on third-party hosting facilities and software-as-a-service arrangements introduces further external dependencies that are difficult to monitor and control.

Cécile Liégeois, clients and markets leader, regulatory advisory partner at PwC, comments: “Stakeholders must navigate the complexities arising from technological competition, operational vulnerabilities and the evolving threat landscape to ensure the resilience and security of their operations. Within the financial sector, the digital transformation has amplified operational and ICT risks. Establishing and maintaining strong defences against operational and ICT risks has proven to be a major business imperative for financial entities.”

Increasing complexity

Unsurprisingly, as systems complexity increases, so too does the frequency and significance of breakdowns due to errors and the activities of bad actors. In 2023, cyber attacks causing financial losses of between £238,000 and £800,000 affected 52 per cent of organisations globally, with 12 per cent of losses surpassing £800,000. That year, data breaches across the US financial industry reached 744, up 330 per cent since 2019.

Achieving compliance with DORA and similar regulations will demand substantial additional investment. According to Forbes, compliance costs currently average £144 billion annually, with organisations spending approximately £7,900 per employee to maintain compliance. DORA’s additional obligations are expected to drive these costs even higher.

Failing to act will also be costly. DORA will fine firms up to two per cent of their annual global turnover, while individuals could receive fines up to €1 million (£830,000). Failure to report significant ICT incidents could be liable to further penalties. And penalties of up to €5 million (£4.2 million) could hit non-compliant third-party ICT service providers, with their individual employees receiving fines up to €500,000 (£416,000). And due to DORA’s applicability to third-party entities providing key functionality, many suppliers in the US and Asia will also be subject to its requirements.

This cross-border aspect of DORA may well benefit all of these critical providers’ customers – yet few other jurisdictions have introduced systems resilience requirements as comprehensive for businesses within their own borders. In the US, aspects of systems resilience and cyber security devolve to a raft of bodies and regulations, including the Financial Stability Oversight Council and the Dodd-Frank Act; the Financial Industry Regulatory Authority and Securities and Exchange Commission Guidelines; the Gramm-Leach-Bliley Act; and the National Institute of Standards and Technology Cyber Security Framework.

Similarly, in the UK, ICT security and resilience duties are shared across the Financial Conduct Authority and Prudential Regulation Authority Operational Resilience Rules, the National Cyber Security Centre Guidelines and the UK Cyber Security Strategy for Financial Services, among others. Faced with this complexity, the simplicity DORA promises seems attractive. While the EU’s free movement of capital comes with a price, including to stakeholders outside the union, its commitment to a more homogeneous regulation as a solution to managing the risks of an increasingly connected financial sector represents a new approach.

Zbyněk Stanjura, Minister of Finance of the Czech Republic, summarised the proposition: “We live in uncertain times. Banks and other companies which provide financial services in Europe already have plans in place for their IT security, but we need to go one step further. Thanks to [DORA’s] harmonised legal requirements…our financial sector will be better able to continue to function at all times.”

Time will tell if the benefits justify the costs – but if it prevents another widescale BSOD incident on the scale of the CrowdStrike outage, it may well be worth it.



This article was published in the Q2 2025 issue of CIR Magazine.

View as PDF

Contact the editor