Cloud & Hybrid Solutions

43% of UK Banks Unprepared for DORA Compliance: Data Centers & Cloud Providers Face New EU Regulations

EditorialTeam
EditorialTeam
43% of UK Banks Unprepared for DORA Compliance Data Centers & Cloud Providers Face New EU Regulations
43% of UK Banks Unprepared for DORA Compliance Data Centers & Cloud Providers Face New EU Regulations

As of January 17, 2025, the EU’s Digital Operational Resilience Act (DORA) is officially in action, significantly impacting the way financial institutions manage risk and resilience within their ICT systems. While the deadline for compliance was set for January 16, 2023, recent findings reveal that a substantial percentage of UK banks are still not ready to meet the stringent requirements of the regulation.

Contents

This article delves into the complexities of DORA’s implementation, focusing on the challenges financial organizations face, especially regarding third-party dependencies, such as data centers and cloud service providers.

What is DORA and Why is it Important?

The Digital Operational Resilience Act (DORA) was introduced to protect the financial services sector from increasing risks related to ICT systems. The regulation mandates financial institutions to ensure that their technology infrastructure, including services provided by third-party companies, is secure and resilient enough to withstand cyberattacks and operational disruptions.

DORA aims to address incidents like the 2019 outage at TSB, where the failure to test a new data center led to two million customers losing access to accounts. This caused significant financial loss, regulatory penalties, and reputational damage to the bank.

The Compliance Struggles of UK Banks

Despite the two-year compliance window, a study by Orange Cyberdefense indicates that 43% of UK financial institutions are still not ready to comply with DORA. Many banks are expected to take at least three more months to meet the requirements.

Key Challenges to Compliance

Several challenges are preventing timely compliance:

  • Lack of prioritization from senior management (28%)
  • Tight timelines for full implementation (25%)
  • Skills and knowledge gaps within the organization (24%)
  • Limited visibility over third-party suppliers (23%)

These challenges highlight the difficulty of aligning internal policies with the rigorous standards DORA sets, especially when dealing with critical third-party service providers.

DORA’s Impact on Data Centers and Cloud Providers

As financial institutions increasingly rely on external providers for data storage, computing, and infrastructure, DORA regulations extend to data centers and cloud providers. These third-party entities must meet high security and operational resilience standards to support financial institutions’ regulatory compliance.

According to Adrian Mountstephens, strategic business development leader at Equinix, digital infrastructure providers are about to face significant changes as a result of DORA. For the first time, companies like Equinix could be directly regulated under DORA, further increasing their responsibility in supporting the resilience of their clients’ operations.

In 2024, many financial institutions, including Danske Bank and The Co-operative Bank, are ramping up their reliance on cloud services from providers like IBM, Google, and Microsoft. This growing trend underscores the need for data centers and cloud providers to align with DORA’s strict requirements for continuity and data protection.

Key DORA Compliance Requirements for Third-Party Providers

DORA Article 28 outlines several third-party risk management requirements for financial institutions. Notably, it mandates that banks must assess the risks associated with their ICT service providers, taking into account the criticality of the services offered.

Financial Institutions Must:

  1. Report on ICT contracts annually, specifying details like service scope, data storage locations, and performance metrics.
  2. Perform due diligence when selecting third-party service providers, ensuring their ability to meet regulatory standards.
  3. Have an exit strategy in place should a third-party provider fail to meet operational or regulatory requirements.

These provisions are designed to ensure that financial institutions maintain operational continuity even if a third-party service provider experiences a failure or security breach.

Ensuring Physical and ICT Security: A Joint Responsibility

DORA’s risk management framework emphasizes the need for a comprehensive security approach, covering both ICT assets and physical infrastructure such as data centers. Financial institutions are required to ensure that all aspects of their technology infrastructure, from servers to sensitive areas within data centers, are adequately protected from unauthorized access or damage.

A Lead Overseer is designated to oversee the physical security measures contributing to overall ICT security, ensuring compliance with DORA’s stringent guidelines.

The Role of Identity Security in DORA Compliance

As part of DORA compliance, financial organizations must secure non-employee access and third-party identities. According to Mo Joueid, identity security consultant at SailPoint, around 80% of financial organizations are concerned about vulnerabilities stemming from over-provisioned third-party identities.

Firms must implement rigorous processes for managing third-party access, including onboarding and offboarding procedures to ensure that access is granted only on a “need-to-know” basis.

Frequently Asked Questions (FAQ)

1. What is DORA, and how does it affect banks?

DORA (Digital Operational Resilience Act) is a set of EU regulations that require financial institutions to ensure that their ICT systems, including third-party services, are secure and resilient enough to withstand cyber threats and operational disruptions.

2. Why are UK banks struggling with DORA compliance?

The main challenges include tight compliance timelines, lack of prioritization from senior management, insufficient expertise, and difficulties in managing third-party dependencies.

3. How does DORA affect data centers and cloud providers?

Data centers and cloud providers are directly impacted by DORA, as financial institutions must ensure their external service providers meet the same security and resilience standards required by the regulation.

4. What must financial institutions do to comply with DORA?

Financial institutions must assess and report on the risks associated with third-party ICT services, ensure appropriate security measures are in place, and maintain an exit strategy if a third-party provider fails to meet requirements.

5. How can financial organizations improve compliance with DORA?

Firms should prioritize DORA compliance across all departments, invest in the necessary skills, and closely manage third-party relationships to ensure they meet regulatory standards.

Subscribe for latest news round-ups, market reports, and more

TAGGED:
Share This Article
By EditorialTeam
Follow:
The Data Center Wires Editorial Team brings you expert insights and the latest updates on energy, cooling, power systems, cloud solutions, edge computing, and more. We deliver reliable, concise, and actionable content to keep you informed and ahead in the data center industry.
Previous Article Sturgeon Lake Cree Nation Opposes Alberta's $2 Billion Data Center, Citing Treaty No. 8 Breach and Environmental Concerns | Alberta Premier Danielle Smith met with president-elect Donald Trump and Canadian businessman Kevin O'Leary at Mar-a-Lago over the weekend. Photo courtesy Facebook/Danielle Smith. Sturgeon Lake Cree Nation Opposes Alberta’s $2 Billion Data Center, Citing Treaty No. 8 Breach and Environmental Concerns
Next Article Stack Infrastructure to Build 1GW Data Center Campus in Stafford County, Virginia | Image Credit : bohlerengineering.com Stack Infrastructure to Build 1GW Data Center Campus in Stafford County, Virginia
BitFuFu Acquires 51MW Bitcoin Mining Data Center in Oklahoma
BitFuFu Acquires 51MW Bitcoin Mining Data Center in Oklahoma
Investment & Market Trends
T-Mobile Chooses Red Hat to Supercharge Its Telco Cloud with Automation
T-Mobile Chooses Red Hat to Supercharge Its Telco Cloud with Automation
Telecoms & Connectivity
Nokia Set to Finalize $2.3 Billion Infinera Acquisition by February-End
Nokia Set to Finalize $2.3 Billion Infinera Acquisition by February-End
Compute, Storage & Networking
Alibaba Cloud Launches Mexico Cloud Region
Alibaba Cloud Launches Mexico Cloud Region: Expanding Digital Infrastructure in Latin America
Telecoms & Connectivity
Global Climate Change Fuels Extreme Weather Iraq’s Energy Sector Faces Severe Risks from Rising Temperatures and Shifting Weather Patterns
Global Climate Change Fuels Extreme Weather: Iraq’s Energy Sector Faces Severe Risks from Rising Temperatures and Shifting Weather Patterns
Current Trends
Meta Launches $800 Million Data Center in Mesa, Arizona, With Expansions Focused on AI and Sustainability
Meta Launches $800 Million Data Center in Mesa, Arizona, With Expansions Focused on AI and Sustainability
Data Center Design & Construction
DataBank Raises $250M from TJC Amid $600M Secondary Share Offering to Drive Digital Infrastructure Growth
DataBank Raises $250M from TJC Amid $600M Secondary Share Offering to Drive Digital Infrastructure Growth
Investment & Market Trends
Blackstone Defends $80 Billion Data Center Strategy as DeepSeek Disruption Reshapes AI Infrastructure
Blackstone Defends $80 Billion Data Center Strategy as “DeepSeek Disruption” Reshapes AI Infrastructure
Investment & Market Trends
Data Center M&A Deals Hit Record $73 Billion in 2024, AirTrunk Acquisition Sets Historic Benchmark
Data Center M&A Deals Hit Record $73 Billion in 2024, AirTrunk Acquisition Sets Historic Benchmark
Investment & Market Trends
ASML Q4 Bookings Surge 169%, Annual Totals Show Mixed Signals for 2025
ASML Q4 Bookings Surge 169%, Annual Totals Show Mixed Signals for 2025
Investment & Market Trends

Subscribe Us !