Ever since the 2008 global financial crisis, governments and regulators have been on a mission to build integrity and resilience back into their banking and financial systems. In the EU, DORA (Digital Operational Resilience Act) is the latest of these efforts. Passed in March 2022 and applying from January 17th 2025, this new legislation will mandate that financial organizations ensure the resilience of all the technologies in their stack.

With DORA, liability is the key tenet—if you run the technology, then you have responsibility for it, goes the new rule. That brings third-party systems and applications into the arena of an organization's accountability. DORA is namely a response to the increasing digitalization of the financial world and its additional security risks, especially when it comes to outsourcing IT services and cloud models. This also includes major cloud providers such as Microsoft, Amazon and Google.

It’s not just big banks that will be under the spotlight. DORA will also apply to all sorts of financial businesses, from credit and payment providers to investment and insurance firms; cryptocurrency exchanges to crowdfunding platforms. By doing so, the EU hopes to prevent substantial economic damage to the industry, as the estimated annual cost of incidents to the European financial sector ranges from €2 billion to as much as €27 billion.

A hyper-connected finance sector

DORA comes at a time when many institutions are adding complexity, and so risk, to their technology supply chain. The undeniable benefits of the cloud are likely to prompt even more mission-critical workloads to head there. These workloads in turn attract more profound security considerations, and new vendors are sought that can protect these core systems. So too partners that can modernize legacy platforms and applications, and power the digital innovations that leave customers happy and the competition behind. The result is a hyper-connected finance sector, and a wider and potentially more vulnerable attack surface for institutions. Organizations now access a vast array of third party data and technology services from the same public cloud servers and data centers. If one organization is vulnerable, it may impact everyone else. The Federal Reserve estimates that an attack on any one of the five most active banks in the US could spill over to impact 38% of the national financial network.

A shared responsibility

As attacks are increasingly becoming more sophisticated, the need for a more community-minded, open approach is getting more voice. Make resilience and security a real team effort rather than a lone pursuit, since financial systems no longer exist in isolation. If institutions pull down their walls of secrecy, there can be a holistic view of how everything is stitched together, truly benefiting all in the ecosystem. There are efforts in the industry and academia to map how the global financial sector is technologically connected using simulations to determine how a system failure or attack could impact not just a few firms but spillover to the markets. This for example involves identifying potential gateways that could lead to systemic risks and quantifying the impact of security incidents on the overall economy. Regulators, financial institutions and cloud providers alike can benefit from these insights. Ultimately, it is the same modelling principles that helped virologists predict the path of COVID-19.

Open source and hybrid cloud

A crucial challenge for financial institutions these days is how they can build this required resilience when using cloud services. To this end, a growing number of companies are following a strategy based on open source and the hybrid cloud. A recent Red Hat survey called "The State of Enterprise Open Source", for instance, shows that 81% of IT managers in the financial world prefer to rely on open source solution providers. Around 75% of these managers do so because open source software simplifies the implementation of a hybrid cloud infrastructure. This is because such an infrastructure provides the flexibility to consistently run and scale applications across different environments - from bare metal to VMs, edge computing, private cloud and multiple public clouds - without having to redevelop applications, retrain people or maintain disparate environments. At the same time, open hybrid cloud provides the necessary standards and features for consistent security across multiple cloud environments, while maintaining application portability. This also allows financial institutions to remain flexible in their choice of future cloud options. Overall, open hybrid cloud can contribute to stronger security and resilience.

Resilience and innovation

As companies are realizing the potential of the cloud, the main task for the financial sector remains clear: combine resilience and innovation. Financial institutions should collectively adopt a truly holistic approach, where security is part of the DNA of the entire ecosystem and not seen as an afterthought. This task can be accelerated by consciously opting for shared, open standards and hybrid cloud infrastructures.

For more information about open hybrid cloud, please contact laurent@redhat.com