For financial institutions conducting business within the European Union (EU), time is running out to prepare for one of the latest compliance requirements — and their mobile apps are front and center.
The Digital Operational Resilience Act (DORA) will officially become effective on January 17, 2025. To ensure that financial entities can detect, mitigate and recover from Information and Communications Technology (ICT) incidents, the regulation can bring far-reaching changes to how financial firms (both in and outside the EU) manage, among other systems, its mobile apps and related digital assets.
As the deadline looms, many financial entities may be questioning whether their mobile app-related operations are ready for DORA. Previously labeled Regulation (EU) 2022/2554, DORA was implemented in the EU on January 17, 2023. The law allowed two years for full compliance by 2025, emphasizing the need for such businesses to strengthen their operational adaptability and durability — including within their often critical mobile app operations.
With an aim to bolster defenses against cyberattacks and minimize any resulting operational disruptions, DORA requires financial institutions to implement stringent measures to protect their systems against vulnerabilities. Consumers’ widespread use of mobile apps for banking, investment management, and other essential financial services make the apps themselves a target for cybercriminals looking for account credentials, personal information, transaction details and more — even, perhaps, a malicious pathway into the associated enterprise running the app itself.
Financial app owners that fall under DORA’s need to ensure they are now able to:
- Strengthen defenses against cyberthreats for mobile apps and web
- Ensure that critical financial data is free of unauthorized access
- Proactively mitigate risks such as app-related vulnerabilities
- Detect and respond to unusual activities with mobile apps in real-time
- Prevent non-compliance by staying ahead of regulatory requirements to avoid costly fines
- Gain the benefits of sector collaboration that helps ensure timely insights
- Address risks associated with third-party service providers, such as supply chain attacks in mobile apps
Since compliance is mandatory for all relevant entities, regardless of whether they are physically based within the EU, provided they offer services within EU borders. That greatly widens the number of impacted organizations, making firms from nearly all corners of the world susceptible to its oversight.
Additionally, while security is critical, financial institutions must also ensure that mobile apps remain user-friendly. Complex login protocols, slow operations and other overly restrictive security measures could frustrate users and lead to a poor customer experience — or even worse, even customer churn. To balance top-notch security and usability, businesses must comply with DORA while maintaining that all-important customer satisfaction. That means that DORA stands as a clear call to action for the financial sector to further evaluate its digital resilience while keeping users returning time and time again.
Mobile apps are basic for customer engagement, but they also present unique risks. The regulation demands more than ordinary compliance, requiring that financial institutions instill a security-first mindset; they must simultaneously balance their operational needs with security and user satisfaction.
Now is the time for financial entities to take a hard look at their cybersecurity procedures, incident recovery plans, and monitoring processes. Urgent actions facing third-party risks should be addressed immediately. DORA presents both a challenge and an opportunity — and by complying, institutions can meet regulatory standards while building further trust. The countdown to DORA is on: The institutions that act swiftly will be ready to face the increasingly digital risk-laden world and thrive.
For additional information on DORA compliance, visit:
www.verimatrix.com/cybersecurity/dora-compliance
Tom Powledge is head of cybersecurity business at Verimatrix (www.verimatrix.com/cybersecurity).
