Artem Lyashanov on the impact of DORA provisions

January 17, 2025 was a deadline for the implementation of the new Digital Operational Resilience Act (DORA) in the EU. This regulatory act establishes a number of important requirements financial institutions are obliged to follow – both EU residents and companies with a different registration, but which provide their services on the EU territory. Including Ukrainian ones. Fintech entrepreneur Artem Lyashanov tells us about the main requirements of DORA and compares them with the regulatory initiatives implemented in Ukraine.

What is this document about

We look through this document and highlighted five aspects that companies should pay attention to:

  • Industrial risk management. According to the document, companies operating with information and communication technologies must develop, describe and maintain a risk management system that includes: constant monitoring, vulnerability assessment, response and stabilization.
  • Incident reporting. Moreover to the previous point: market participants must develop a clear system of operational reporting of incidents regarding digital resilience violations to the authorities;
  • Testing and resilience. According to DORA, market participants must conduct systematic stress tests with the various breach scenarios;
  • Third-party risk management. With recurrent checks of counterparties and providers, as well as ongoing audits;
  • Information exchange. There’s no clear requirement on this point. However, DORA actively encourages the exchange of information on threats to digital resilience between market participants and the regulator.

“DORA is primarily a system of safeguards the European regulator establishes for the payment business. This is a matter of responsibility for the banks, payment service providers, as well as technical infrastructure operators. Since January 2024, this regulatory framework has been preparing (and now requires) participants in the financial services market to be more reliable in cybersecurity. It should be achieved through action plans that are built around a number of requirements,” says Artem Lyashanov.

How important is this act

According to the speaker, any additional regulatory norm arises not because of a desire to overburden or complicate business, but primarily with the goal of reducing losses due to cyber threats. This is a completely understandable concern: according to Lloyds of London’s forecast, the consequences of a cyberattack on one of the major payment systems in a five-year perspective could amount to up to $3.5 trillion, and the annual IBM Cost of Data Breach Report claims that one such penetration “costs” the affected business around $4.45 million.

That’s why DORA violations will be sanctioned with 2% of the global annual turnover fine , and in special cases the amount can reach up to 5 mln EUR.

“Fintech is a dynamic field that flourishes thanks to the simplifying of financial processes – with strong security guarantees for money in the digital world. But the development of opportunities, of course, raises possible threats. Each negative scenario is reflected not only in one specific brand, but in the industry as a whole. Companies may have problems with investments. That is why the task of DORA is to unify and constantly update a single system of financial monitoring rules on the EU market, which will reduce risks, and therefore preserve profits”, – continues Artem Lyashanov.

Ukrainian perspective for DORA regulation

The security and resilience aspects from DORA are already used in number of documents:

  • The Law of Ukraine “On the Basic Principles of Ensuring Cybersecurity in Ukraine”;
  • Regulation “On qualified providers of electronic trust services included in the Trusted List upon submission of a certification center”;
  • Regulation “On monitoring compliance by banks with the requirements of legislation on information security, cyber protection and electronic trust services”;
  • Regulation “On authentication and the use of enhanced authentication in the payment market”.

Fintech expert believes that Ukrainian legislation covers most of the necessary requirements of the EU quite well, but in a more decentralized manner.“9 out of 10 of all security problems is a result of the human factor. This rule is relevant for almost all markets in the world, only in different manifestations. That’s why the rules and regulations in all countries with a well-developed fintech market will be almost identical – because they are all written either on the basis of international experience or on their own mistakes. Only the specifics of the work of regulators are important, which must be taken into account in each of the new markets,” – Artem Lyashanov summarizes.

Leave a Reply

Your email address will not be published. Required fields are marked *