Digital4Security Taster Workshops - Workshop 4: Operational Resilience: Surviving the Accident and the Hack
With major EU financial regulations now fully enforceable and cyber incidents disrupting operations across borders, firms face immediate penalties and systemic risks if they cannot withstand both accidents and deliberate hacks.
Key takeaways
- •The EU's Digital Operational Resilience Act (DORA) became fully applicable in January 2025, imposing strict ICT risk management, incident reporting, and third-party oversight requirements on financial entities, with enforcement ramping up in 2026.
- •UK financial regulators ended their operational resilience transition period on 31 March 2025, now demanding proof that firms can deliver critical services within defined impact tolerances amid rising cyber threats and outages.
- •Persistent high-profile disruptions from cloud provider failures, ransomware, and supply-chain attacks in 2025-2026 highlight the concrete costs—billions in losses, halted services, and eroded trust—while revealing tensions between rapid digital transformation and robust resilience.
Rising Imperative for Operational Resilience
Financial services operate in an environment where digital disruptions—whether from cyberattacks, technical failures, or external events—can halt trading, payments, and customer access within minutes. The convergence of stricter regulations and escalating threats has made operational resilience a board-level priority rather than an IT concern.
In the European Union, the Digital Operational Resilience Act (DORA), applicable since January 2025, mandates harmonised rules for managing ICT risks across banks, insurers, investment firms, and other entities. Regulators expect full compliance, including detailed registers of third-party providers and rigorous testing, with no transition leniency signalled. Non-compliance risks fines, audits, and reputational damage in a sector already under scrutiny for systemic stability.
Parallel developments in the UK reinforce this shift. The FCA and PRA's operational resilience framework, fully in force after a March 2025 deadline, requires firms to map important business services, set impact tolerances, and demonstrate ongoing adherence. Supervisors now scrutinise evidence of real-world preparedness rather than documentation alone.
Recent incidents underscore the stakes. Average breach costs in finance remain in the millions, while specific events—like nationwide outages tied to power failures or repeated cloud disruptions—have paralysed banking services across regions. Cyber incidents rose sharply, with financial firms facing advanced threats from state actors and criminals exploiting third-party dependencies. These not only incur direct financial losses but also trigger regulatory reporting cascades and potential market instability.
Less visible tensions emerge in the trade-offs. Firms push aggressive digital transformation—cloud adoption, AI integration—to stay competitive, yet these expand attack surfaces and complicate resilience. Regulators demand visibility into third-party risks, but global supply chains resist full oversight. Geopolitical factors amplify threats, while boards balance investment in prevention against short-term profitability pressures.
The result is a sector where surviving 'the accident and the hack' means building capabilities to absorb shocks without cascading failures, at a time when inaction invites both regulatory sanctions and existential operational breakdowns.
Sources
- https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/digital-operational-resilience-act-dora
- https://www.fca.org.uk/publications/policy-statements/ps21-3-building-operational-resilience
- https://www.bankofengland.co.uk/prudential-regulation/publication/2025/april/pra-business-plan-2025-26
- https://www.weforum.org/publications/global-cybersecurity-outlook-2026/in-full/3-the-trends-reshaping-cybersecurity
- https://www.digital4security.eu/digital4security-taster-workshops-starting-on-twenty-third-february
- https://riskandcompliance.freshfields.com/post/102m1rl/the-year-ahead-in-financial-services-12-trends-to-watch-in-2026
You might also like
- Mar 6Digital4Security Taster Workshops - Workshop 6: Critical Infrastructure Cybersecurity and Resilience: A Socio-technical Perspective
- Mar 10Your Network Has a Story — Let Pure Networks Show You the Truth
- Mar 12Business Cyber Security: Stay Ahead of Threats
- Apr 7Secure Your Business in Digital Age
- Apr 22How to Achieve ISO 27001 Certification - FREE Webinar