The Digital Operational Resilience Act (DORA) is one of the newest compliance requirements for financial institutions doing business within the European Union (EU), effective January 17, 2025.

These organizations’ mobile apps are frontline and center. The legislation can bring significant changes to how financial companies—both in and outside the EU—manage, among other systems, their mobile apps and related digital tools. The law aims to ensure that financial organizations can detect, abate, and recover from Information and Communications Technology (ICT) events.

DORA was formerly named Regulation (EU) 2022/2554. The law was enacted in the EU on January 17, 2023, allowing two years for full adherence by 2025. It stresses the need for such businesses to strengthen their operational resilience, including within their often crucial mobile app operations.

How financial app developers & managers must comply with DORA

DORA requires financial organizations to implement rigorous measures to protect their systems against weaknesses, aiming to bolster protections against cyberattacks and minimize any ensuing operational interruptions.

Consumers’ broad use of mobile apps for banking, investment management, and other essential financial services makes the apps themselves a target for criminals. Hackers look for account details, personal information, transaction data, and more—even, possibly, a malicious pathway into the related enterprise running the app itself.

Financial app managers that fall under DORA’s mandate must ensure they are able to:

  • Confirm that important financial data is free of unauthorized intrusion
  • Bolster defenses against cyber dangers for mobile apps and web
  • Identify and respond to suspicious activities with mobile apps in real time
  • Proactively reduce risks such as app-related weaknesses
  • Address risks associated with third-party service providers, such as supply chain attacks in mobile apps
  • Prevent non-compliance by staying ahead of legal requirements to avoid costly penalties
  • Gain the benefits of industry collaboration that helps ensure prompt insights

Even if financial organizations are not physically based within the EU, compliance is mandatory for all relevant entities that offer services within EU territory. That makes firms from nearly all parts of the world subject to its oversight, greatly widening the number of affected organizations.

Balancing security and usability in financial mobile apps

Financial organizations must make certain that mobile apps are not just secure but also user-friendly. Complex login protocols, slow operations, and other excessively constricting security measures could annoy users. This frustration could lead to poor customer experience and thus customer turnover.

Businesses must comply with DORA while balancing high-quality security and usability to maintain customer satisfaction. Therefore, DORA stands as a firm directive for the financial sector to not only further assess its digital resilience but also keep repeat customers.

While mobile apps are central for customer engagement, they also pose distinct risks. The directive requires more than standard compliance: financial institutions must instill a security-focused approach. At all times, they must balance their operational requirements with security and user satisfaction.

Financial organizations must closely examine their cybersecurity strategies, incident recovery plans, and monitoring processes. Action items deriving from third-party risks must immediately be addressed. By complying with DORA, organizations can successfully meet regulatory standards while powerfully protecting their reputations.

Focus of Article 24

Article 24 of DORA specifically addresses the contractual arrangements with ICT third-party service providers. This article outlines the rules and requirements financial institutions must follow when entering into contracts with external ICT service providers, ensuring these arrangements do not compromise the operational resilience of the institution.

Key points of Article 24 include:

  1. Mandatory Provisions in Contracts: Financial entities must include specific provisions in contracts with ICT third-party service providers. These provisions should address:
    • Clear descriptions of the services provided.
    • Service level agreements (SLAs).
    • Obligations to ensure compliance with DORA requirements.
    • Incident reporting and notification procedures.
    • Termination rights in case the provider fails to meet the agreed requirements.
  1. Risk Management: The contracts should support the financial institution’s ability to manage and mitigate risks related to ICT services.
  2. Access and Audit Rights: Contracts should allow financial entities to:
    • Monitor and audit the performance of the service provider.
    • Access critical systems and data if necessary.
  1. Termination Clauses: Financial institutions should have the right to terminate the contract in cases where the ICT provider fails to meet regulatory or contractual obligations, or where critical risks are identified.
  2. Resilience and Continuity: The agreements should include measures to ensure the continuity of critical operations in the event of disruptions affecting the service provider.

Why Is Article 24 Important?

  • It ensures financial institutions maintain control over outsourced ICT services and remain compliant with regulatory obligations.
  • It safeguards against risks that could arise from over-reliance on third-party providers.
  • It enhances the resilience of the broader financial system by addressing vulnerabilities in third-party ICT relationships.

What is vulnerability scanning?

Vulnerability scanning serves as a fundamental security measure, systematically examining systems for potential weaknesses that cybercriminals could exploit. This automated process thoroughly checks networks, applications, and infrastructure components for known security gaps.

Modern scanning tools deploy advanced algorithms to detect both common and emerging threats, providing detailed reports on discovered vulnerabilities. These assessments range from basic configuration errors to complex security flaws in software code.

A robust scanning strategy must encompass continuous monitoring and swift remediation. For example, when a scanner identifies a critical SQL injection vulnerability in a banking application, security teams should promptly implement necessary patches to prevent potential data breaches.

Regular scans form an integral part of maintaining DORA standards, helping financial organizations proactively strengthen their security posture before threats materialize.

What is the difference between vulnerability scan and compliance scan?

While both types of scans enhance security, they serve distinct purposes. Vulnerability scans target technical weaknesses in systems and applications that attackers might exploit. These scans search for outdated software, missing patches, and potential entry points.

Compliance scans measure adherence to specific regulatory frameworks and security standards. For instance, a bank might run compliance scans to verify PCI DSS requirements are met, checking password policies and access controls.

Think of vulnerability scanning as finding holes in your fence, whereas compliance scanning ensures your fence meets local building codes. Both work together: vulnerability scans uncover technical gaps, while compliance scans verify security practices align with industry requirements.