The Digital Operational Resilience Act (DORA), introduced by the European Union in 2022 – and that came into effect beginning of 2025 –, represents a watershed moment for the industry's approach to digital risk management. For Wilfried Lauber, Global CISO Deputy at Amundi, firms should embrace this opportunity, which could strengthen their own systems and practices through a few crucial steps.
$6.08 million: such is the average cost of a data breach in the financial industry, according to a 2024 study by IBM – 22% higher than the global average ($4.8 million), and an 3% increase compared to 2023[1]. Indeed, with the ever-increasing volume of data, tightly interconnected financial landscape and rise in geopolitical uncertainties, asset management firms face unprecedented cybersecurity and operational challenges.
In this context, DORA establishes a comprehensive framework specifically designed to enhance the technological resilience of financial institutions, with significant implications for asset managers. By standardizing Information and Communication Technologies (ICT) risk management practices, incident reporting protocols, and third-party service provider oversight, DORA aims at a systemic transformation of the financial sector, seeking resilience against increasingly sophisticated cyber threats.
For asset management firms, “DORA's implementation is a paradigm shift that transcends mere compliance. It represents a strategic imperative to protect client assets, preserve operational continuity, and maintain market trust,” says Wilfried Lauber. “Ultimately, what EU regulators are trying to achieve is resilience and security for the whole system. Where before regulations applied only to financial institutions themselves, requirements will now apply to their ICT providers as well.”
Bridging the gap analysis
For many financial institutions, especially larger ones, many DORA requirements are already in place, explains Wilfried Lauber: “DORA is more of an evolution than a revolution.” However, the regulation introduces a new dimension by including third-party service providers, adding another layer to the resilience and reliability requirements for financial institutions. Firms must now ensure that their providers meet the same high standards.
A comprehensive gap analysis has proven to be a crucial step in this context. “We started working on Amundi’s compliance for DORA as early as 2022,” continues Wilfried Lauber. “To ensure alignment, we conducted a gap analysis and built a program around five pillars, covering all aspects of the DORA requirements: risk and governance, operational resilience – which is at the core of the regulation –, incident management, asset mapping to ensure we had a clear and precise view of all our assets and their criticality, and that our program was fully deployed. Finally, establishing the compliance of our ICT providers proved to be the most challenging aspect.”
The new regulations also introduce specific contractual requirements. In addition to identifying the third parties they work with and ensuring their security, asset managers and financial institutions must update all contracts with their service providers – particularly those considered critical to their operations and activities.
“This is proving to be challenging: any changes to contracts will require negotiations, which will take time and may also alter the relationship between the firm and its providers,” warns Wilfried Lauber. “As far as Amundi Technology is concerned, we already have contractual amendments ready for our clients to ensure that their contracts with us are DORA-compliant.” Different levels of maturity can also complicate compliance, with some firms being more advanced in their digital operational resilience than their ICT providers – or vice versa – which can make implementing solutions more difficult.
Anticipation and protection: essential steps for DORA compliance
Whatever the contract terms or maturity levels, one constant remains: a dual approach to security is essential. Any digital resilience strategy must combine both an anticipatory dimension and a defensive one. “The DORA regulation encourages firms to establish a comprehensive ‘digital shield’ and to test it regularly,” explains Wilfried Lauber. “At Amundi, as a financial company, we have a security team, an internal audits team, and we are supervised by regulators. We work with ‘white hats’ – ethical hackers who test our systems and code for vulnerabilities. Certifications are also important; our ALTO platform, for instance, is SOC 2-compliant. An external company audits us on key criteria such as access control and incident reporting. Hence, ALTO benefits from the control framework mandatory to financial company, along with external assessments. One specific DORA requirement is the obligation to report any major incident within 24 hours, both to the client and to the regulator. This ensures that all potential repercussions are properly addressed, making the entire system more robust and resilient.” Regular testing, both within firms and at their ICT providers, helps anticipate and, in many cases, prevent incidents.
It is essential, however, to recognize that prevention will never be foolproof – and firms must be prepared for that reality. “All digital shields have a hole,” sums up Wilfried Lauber. With DORA, the European regulator aims to ensure that all financial companies and their service providers have developed disaster recovery and business continuity plans. In the event of a successful attack or a service disruption, firms must have a tested plan B to ensure operations can resume. “This is critical. Many firms have been diligent about putting protection measures in place. However, ensuring that, if systems were to partially or completely fail, a firm has the capability to restart operations and maintain business continuity is ultimately just as important as protection itself.”
In the end, communication and the sharing of best practices are essential to ensuring greater resilience across the European financial sector. This collaborative approach, supported by ongoing dialogue around DORA, helps all actors align their efforts. One of DORA’s key principles is proportionality, which links directly to the identification of critical and important services. Firms are expected to map all services and assets, but with a clear focus on those that are essential to business continuity.
“While resilience and security measures must apply across the board, DORA prioritizes critical systems – those whose failure could have the most severe impact for the firm involved as well as for the EU financial structure as a whole… These systems must be identified, fully secured, and consistently monitored to ensure operational continuity, even in the event of a disruption,” states Wilfried Lauber. This risk-based, proportional approach extends from individual entities up to the European level. Each firm identifies its own critical services, while regulators at the EU level assess which service providers are critical to the entire European financial system. “This cascading, capillary effect, where local resilience feeds into broader regional stability, is at the heart of DORA’s ambition: creating a more robust and resilient European financial ecosystem.”
