IT Infrastructure Management for EU Financial Services

Today marks a significant milestone in the financial sector: the EU Digital Operational Resilience Act (DORA) officially takes effect. Like many others around the Nordics and indeed the entire EU, we at Danske Bank have been working hard to prepare for this moment. So, what makes DORA different, and how does the world of operational resilience change starting today? 1. Operational Resilience Becomes a Regulatory Imperative DORA isn’t just a framework; it’s a paradigm shift. It moves operational resilience from a best practice to a legal requirement across the EU. Financial entities are now mandated to not only manage risks within their organization but to also ensure the resilience of their third-party providers, especially critical ICT service providers. 2. A Focus on Testing, Not Just Compliance Under DORA, resilience isn’t about ticking boxes. It’s about stress-testing your systems against real-world threats—cyberattacks, operational disruptions, or systemic failures—and demonstrating your capacity to maintain critical services in extreme conditions. 3. Bridging Cybersecurity and Risk Management Traditionally, cybersecurity and operational risk management have been siloed. DORA integrates them, creating a cohesive approach to managing risks that span technology, processes, and third-party dependencies. Again, while some have done this previously, it’s no longer optional. 4. Transparency and Accountability With mandatory reporting of major ICT incidents and the requirement to maintain a robust incident response framework, DORA increases accountability across the board. It demands that organizations not only respond to threats effectively but also report transparently to regulators and stakeholders - who have themselves been working hard to prepare for this. What Changes Today? For many of us in the financial sector, DORA isn’t a starting line—it’s a checkpoint. If your organization has been preparing effectively, today should feel like a natural extension of your resilience strategy. However, DORA brings clarity and consistency across the EU. Starting today, regulators will expect more than words; they’ll want evidence that your organization can adapt, recover, and thrive in the face of adversity. Why Does This Matter? Operational resilience isn’t just about compliance—it’s about trust. In a world where financial services are increasingly interconnected, disruptions don’t just hurt individual organizations; they ripple across the ecosystem. By enforcing resilience at all levels, DORA raises the bar for the entire industry. As we step into this new regulatory landscape, the question isn’t whether you’re compliant—it’s whether you’re resilient enough to lead the way. What are your thoughts on today? I’ll be surprised if any of you post that you’re glad the work is done; for myself, I feel like this is the latest step in what promises to continue to be a high-focus area!

This week, EU regulators warned that US cloud providers now pose a systemic risk to EU’s financial system. Speaking in Brussels, Steven Maijoor, Chair of Supervision at the Dutch Central Bank, described EU’s digital dependence as: “A fault line running beneath the European financial system.” For years, EU treated digital infrastructure as an IT and procurement issue. This week, regulators highlighted it is now a financial stability, geopolitical and sovereignty issue. What changed is the risk environment As Maijoor warned, if a critical provider were to be ordered by its government to halt services, the consequences could jeopardise financial stability itself. Three developments converged this week: ▪️ EU regulators formally designated major US hyperscalers as “critical” to the financial system. ▪️ Central bankers explicitly linked geopolitics to operational resilience. ▪️ The European Central Bank now treats geopolitical shocks as macro-financial risk drivers. ▪️ Political leaders stopped assuming alliances guarantee infrastructure access. “Unpredictability” has entered official policy language. ➡️ As EU Financial Services Commissioner Maria Luís Albuquerque put it: “Europe must keep control over the key technologies that underpin and drive our economies.” The uncomfortable truth EU cannot currently replace US hyperscalers without cost, friction and risk. Regulators now admit this openly. But dependency without control is not acceptable, especially when: ✔️ sanctions can be imposed overnight ✔️ export controls shift with elections ✔️ infrastructure becomes a bargaining chip This is why the conversation has moved from “cloud” to economic security. The hidden pattern across finance, defence and public sector 🔹 Finance talks about concentration risk 🔹 Defence talks about kill switches 🔹 Governments talk about sovereign procurement Different language. Same fear. ➡️ EU is redefining resilience as the ability to keep agency under pressure. What this means for decision makers Boards now need clear answers to 3 questions: 1️⃣ Which systems do we depend on, and who controls them? 2️⃣ What fails first if access is restricted for political reasons? 3️⃣ Can we exit or migrate? Regulators are already testing these points. Investors will follow. Digital sovereignty defines whether action is possible when conditions change. Dependencies determine where resilience fails. That deserves executive-level attention now. #AI #DigitalSovereignty #AIGovernance #Boardroom #Geopolitics

🚨 A Must-Read for Risk & Compliance Teams: DORA Oversight of Critical Third Parties Just Got Serious If your organization relies on third-party technology providers (cloud, infrastructure, software, data services) and serves EU markets, you need to understand what this new DORA update means. Here’s a clear, no-fluff breakdown of the EU's new guide (July 2025) on how critical ICT service providers will now be designated, examined, and held accountable: What's the big deal? This is the first ever structured, EU-wide oversight framework for third-party ICT providers who are critical to the financial sector. Think AWS, Microsoft, Google Cloud, IBM, and many others. Under DORA, these providers will be: - Designated as critical if their failure could threaten financial stability. - Monitored year-round by joint EU supervisory teams. - Inspected on-site or off-site if risks emerge. - Given recommendations that, if ignored, may trigger public naming. This changes how financial institutions manage third-party risks, particularly in terms of concentration risks and systemic reliance on a few large technology providers. What DORA’s Oversight Involves ✔️ Annual designation process based on service criticality, substitutability, and systemic risk. ✔️ Joint Examination Teams (JETs) will actively monitor providers across the EU. ✔️ Investigations & inspections can be initiated if risks, incidents, or non-compliance are detected. ✔️ Non-binding recommendations will be issued, but if ignored, they’ll go public. ✔️ Competent Authorities will be informed, and may require firms to suspend or terminate services from non-compliant providers. ✔️ Third-country oversight is possible if the provider serves EU clients, even if based elsewhere. Why This Matters to You? Vendor due diligence just got heavier. You’ll need to understand not just your vendor’s controls, but how they interact with DORA regulators. More shared insight. Regulators can now share oversight findings with you if you use a critical provider. ICT concentration risks are under a microscope. Risk leaders will need to prove they understand and mitigate dependencies. EU or not, this affects global providers. If you’re outside the EU but serve EU clients, your oversight perimeter just expanded. DORA isn't just about resilience anymore, it’s about control, transparency, and accountability at the third-party level. If your key ICT vendors are designated as critical, expect more scrutiny and be ready for deeper oversight conversations. #DORA #ThirdPartyRisk #ICTRisk #CyberResilience #RiskManagement #EURegulation #VendorOversight #Compliance #FinancialServices #tprm

If you work in EU financial services, January 17, 2025, is a deadline. DORA expects you to prove resilience. I put together a Comprehensive Guide to DORA to help you execute with confidence. It’s practical and built from real implementation work across banks, insurers, and fintech. What you’ll get from the guide: • A clear path from scoping to evidence: governance, ICT risk, testing (incl. TLPT), incident reporting, and supplier management. • An 18-step sequence you can follow to run your program without rework. • A document checklist mapped to articles, so you know exactly what to write and why. • How to leverage ISO 27001 / 22301 and avoid duplicate projects with NIS2. If you’re preparing budget requests, lining up testing, or renegotiating ICT contracts, this will save you weeks. Download the PDF below and put it to work. #DORA #DigitalOperationalResilience #FinancialServices #CyberSecurity #Compliance #RiskManagement #ISO27001 #NIS2 #BusinessContinuity #ThirdPartyRisk

🔐 #DORA UPDATE! #RTS on ICT #Subcontracting published The European Commission has adopted Regulation (EU) 2025/532, specifying how financial entities must assess and manage ICT subcontracting arrangements that support critical or important functions under DORA. Here’s what matters: 🚨 1. Full Accountability Even when #ICT services are subcontracted, financial entities remain fully responsible for risk management and regulatory compliance. 🔍 2. Visibility Through the #SupplyChain Firms must identify and assess the entire chain of ICT #subcontractors — including intra-group ones — with attention to the length, complexity, and geography of the chain. 🛡️ 3. Pre-Contract #DueDiligence Before entering into contracts, firms must ensure: • Subcontractors have sufficient technical, financial, and security capabilities. • They can grant audit, access, and inspection rights. • They don’t introduce concentration or geopolitical #risks. 📄 4. Mandatory Contractual Clauses All ICT contracts must: • Detail which services may be subcontracted. • Impose reporting, monitoring, and continuity obligations. • Include the right to terminate the contract under specific risk conditions. ⚠️ 5. Change Management is Crucial Financial entities must be notified in advance of material changes in subcontracting and may object or terminate if risk thresholds are breached. 🏛️ 6. Group-Level Application Parent undertakings must ensure consistent application of subcontracting policies across their group. 💬 This regulation adds a new layer of operational and contractual scrutiny. Now is the time to review your ICT outsourcing governance #DORA #ICTRisk #Subcontracting #OperationalResilience #EUCompliance #FinancialRegulation #CyberSecurity #ThirdPartyRisk #FinTech #RegTech

🚨 New EU Cybersecurity Regulations Are Here: DORA & NIS 2 Explained 🚨 The EU’s latest cybersecurity regulations—DORA (Digital Operational Resilience Act) and NIS 2 (Network and Information Security Directive)—are reshaping how organizations manage cyber risks. Here’s what you need to know: 🔹 Key Takeaways: ✅ DORA: Targets financial institutions (banks, insurers, FinTechs) and their ICT providers (cloud, crypto, AI services). Mandates risk management frameworks, incident response plans, and strong authentication (e.g., MFA). Penalties: Operational bans, fines, and reputational damage for non-compliance. ✅ NIS 2: Applies to critical sectors (energy, transport, healthcare, digital infrastructure) and medium/large enterprises. Requires basic cyber hygiene: Zero Trust, network segmentation, MFA, and employee training. Fines up to €10M or 2% global turnover for key entities. 🔹 Why It Matters: Overlap Alert: Financial institutions must comply with both DORA and NIS 2, though DORA’s sector-specific rules take precedence. Accountability: Management boards are personally responsible for implementation and oversight. MFA is Non-Negotiable: Both regulations emphasize multi-factor authentication to combat phishing and credential theft. 🔹 How to Prepare: 1️⃣ Conduct a gap analysis against DORA/NIS 2 requirements. 2️⃣ Prioritize MFA adoption and secure access management (IAM tools recommended). 3️⃣ Invest in employee training and incident response simulations. 📘 Need Help? #Cybersecurity #DORA #NIS2 #Compliance #RiskManagement #MFA #EURegulations

In financial services, we often blame failure on the product, which in many cases is true. Wrong pricing. Wrong product-market fit. Weak demand. Poor timing. That's the easy diagnosis. In reality, many good business ideas fail because the infrastructure underneath them was never built either to be nimble or to hold the load. I've seen this happen. Strong products that struggle once volumes pick up, regulations tighten, or cross-border flows become real, because the rails could not support scale. Here's where infrastructure usually breaks first: - 𝗦𝗲𝘁𝘁𝗹𝗲𝗺𝗲𝗻𝘁 𝗱𝗲𝘀𝗶𝗴𝗻𝗲𝗱 for yesterday's volumes. What works at the pilot stage often collapses under real transaction flow. Cut-offs, intraday liquidity, exception handling, these don't scale automatically. You need to build for it. - 𝗧𝗿𝗮𝗻𝘀𝗮𝗰𝘁𝗶𝗼𝗻𝘀 that depend on manual fixes. As complexity grows, mismatches multiply. When systems lags, reporting weakens and risk builds quietly. You don't see it coming until it's a problem. - 𝗟𝗶𝗾𝘂𝗶𝗱𝗶𝘁𝘆 𝗮𝗻𝗱 𝘁𝗿𝗲𝗮𝘀𝘂𝗿𝘆 𝗺𝗼𝗱𝗲𝗹𝘀 that assume stability. Cross-border businesses expose funding gaps fast. Without strong intraday visibility, growth creates pressure instead of confidence. That's not sustainable. - 𝗥𝗶𝘀𝗸 𝗮𝗻𝗱 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 added after the fact. Many platforms treat controls as overlays. Infrastructure that isn't designed with risk in mind becomes expensive to fix later. Very expensive. McKinsey estimates financial institutions spend 30–40% of transformation budgets fixing legacy infrastructure issues, not building new capability. The lesson is simple: Business models change. Infrastructure endures. Leaders who invest early in settlement, reconciliation, liquidity, and risk systems create room to grow. Those who don't end up throttling good ideas with fragile foundations. In financial services, advantage doesn't come from what you launch. It comes from what your systems can sustain.

🚀 "From Invisible to Unforgettable: Why IT Infrastructure Risks Are Now Business Risks for Banks"   As evident from recent news, many financial institutions are struggling with consent orders, system outages, and security incidents—all stemming from underlying IT infrastructure weaknesses. These banks, instead of getting ahead, become bogged down with costly remediations, customer trust erosion, reputation damage, and lost innovation opportunities.   In today’s banking environment, infrastructure risks are no longer just IT issues—they are business risks that can derail growth and regulatory standing. A resilient, secure, and compliant IT infrastructure is the backbone of banking innovation.   As they say: "Good infrastructure is invisible; bad infrastructure is unforgettable."   Top IT Infrastructure Risks Banks Must Address: 🔴 Cyber Security – Rising threats, ransomware, and evolving attack surfaces. 🔒 Data Protection – Gaps in encryption, access controls, and data governance. ⚠️ System Failures – Outages, poor change management, and legacy bottlenecks. 🤝 Third-Party Risks – Vendor dependencies, cloud immaturity, and oversight gaps. ⚙️ Infrastructure Complexity – Multi-cloud sprawl, observability gaps, and scalability issues. 🌐 Technology Disruptions – AI, automation, and real-time risk monitoring challenges.   As an Infrastructure & Operations leader, you should build an organization that proactively manages these risks while establishing a foundation for operational resilience, compliance, and innovation. "An ounce of prevention in infrastructure is worth a pound of cure in outages and fines."   📥 Download "The CIO Edge" placemat below to self-assess your maturity and build a path to the desired target state. Need it tailored to your organization? DM us.   #BankingIT #InfrastructureRisk #CyberSecurity #Compliance #CIO #OperationalResilience #DigitalTransformation #SRE #Observability

The EU's Digital Operational Resilience Act (DORA) deadline is coming up on January 17. It establishes a comprehensive legal framework for financial institutions and their relationship with IT service providers. As jurisdictions' security postures continue to mature, we can expect lawmakers to keep moving in a similar direction... DORA includes the following requirements for financial institutions: 🛡️ IT risk management using a structured approach (framework) ✒️ Third-party IT risk management with key contractual provisions 💣 Digital operational resilience testing (basic and advanced) ⚠️ General requirements for security incidents, including disclosure to authorities 📢 Information sharing and intelligence on cyber threats 🔍 Oversight of critical third-party providers With DORA it's no longer enough for EU financial institutions to allocate capital for potential losses from a cyberattack. Similar to the National Association of Insurance Commissioners (NAIC) Data Security model law recently adopted in Puerto Rico by Comisionado de Seguros de PR (OCS), it requires proactive security controls and resilience planning to actually, effectively, protect data. There is one big, important difference between the OCS ruling and DORA: the scope, complexity, and time required to amend them when they require an update. It's much easier to amend an agency rule than a law, especially one that governs all the EU. While DORA is certainly prescriptive —which, in my experience with technology-focused legislation, is something to beware of— its focus on operational resilience, cybersecurity, and risk management hits the nail on the head where organizations' priorities usually fall short (in industries across the board). As new IT-related laws are created around the world and cover technical topics, modern legislative bodies must learn to move faster, not only to pass these laws in time to protect those who need it, but to amend them once the standards they establish become obsolete. #GRC #TPRM #nowonboarding https://lnkd.in/e52zpSMd