The deadline for implementing the new Digital Operational Resilience Act (DORA) in the EU was January 17, 2025. This regulation introduces key requirements that financial institutions must comply with, including both EU-based companies and foreign businesses operating within the EU. And Ukrainian firms are among them. Fintech entrepreneur Artem Lyashanov outlined the main provisions of DORA and compared them with similar regulatory initiatives in Ukraine.
About DORA
We reviewed this document and identified five key aspects that companies should focus on:
- Risk Management. Businesses utilizing information and communication technologies must establish, document, and maintain a comprehensive risk management framework. This includes continuous monitoring, vulnerability assessments, incident response, and stabilization measures.
- Incident Reporting. In addition to risk management, market participants are required to implement a structured system for promptly reporting digital resilience breaches to regulatory authorities.
- Testing and Resilience. Under DORA, companies must regularly conduct stress tests, simulating various breach scenarios to assess their preparedness.
- Third-Party Risk Management. This involves ongoing evaluations of vendors and partners, as well as continuous audits to mitigate potential risks.
- Information Sharing. While not a mandatory requirement, DORA strongly encourages companies to exchange threat intelligence related to digital resilience with other market participants and regulatory bodies.
“DORA is fundamentally a set of protective measures introduced by the European regulator for the payments industry. It places responsibility on banks, payment service providers, and technical infrastructure operators. Since January 2024, this regulatory framework has been shaping – and now mandating – greater cybersecurity resilience among financial market participants. This goal is to be achieved through action plans structured around specific requirements”, – says Artem Lyashanov.
Importance of the act
According to the speaker, new regulatory norms are not introduced to burden or complicate business activity, but rather to minimize losses caused by cyber threats. This concern is well-founded: Lloyd’s of London predicts that within five years, a cyberattack on a major payment system could result in losses of up to $3.5 trillion. Additionally, the annual IBM Cost of Data Breach Report estimates that a single breach costs an affected company around $4.45 million.
For this reason, violations of DORA will be met with strict penalties, including fines of 2% of global annual turnover, with the amount potentially reaching up to 5 million EUR in certain cases.
“Fintech is an evolving industry driven by the streamlining of financial processes, all while ensuring robust security for digital assets. However, as opportunities expand, so do potential risks. Any adverse scenario impacts not just a single company but the entire sector, potentially affecting investment flows. This is precisely why DORA aims to standardize and continuously refine a unified financial oversight framework across the EU market – minimizing risks and, in turn, safeguarding profitability”, – explains Artem Lyashanov.
Ukrainian adaptations on DORA regulation
Key security and resilience principles outlined in DORA are already reflected in several Ukrainian regulatory frameworks, including:
- The Law of Ukraine “On the Basic Principles of Ensuring Cybersecurity in Ukraine”;
- Regulation “On qualified providers of electronic trust services included in the Trusted List upon submission of a certification center”;
- Regulation “On monitoring compliance by banks with the requirements of legislation on information security, cyber protection and electronic trust services”;
- Regulation “On authentication and the use of enhanced authentication in the payment market”.
According to the fintech expert, Ukrainian legislation aligns well with most EU requirements, though it follows a more decentralized approach.
“Human error accounts for 9 out of 10 security issues—a pattern observed across global markets, albeit in different forms. This is why regulatory frameworks in countries with advanced fintech sectors tend to be strikingly similar, as they are shaped either by international best practices or lessons learned from past incidents. The key distinction lies in how regulators operate, and this must be carefully considered when entering new markets”, – concludes Artem Lyashanov.