Digital Operational Resilience Act (DORA): Addressing an Old New Network Problem
FNA Papers Series
By Dr Carlos León
The 2007-2008 global financial crisis established that financial market infrastructures (FMIs) act as the critical "plumbing" of global markets, essential for financial stability. However, modern financial systems rely heavily on an even deeper, hidden layer: the physical and logical networks provided by information and communication technology (ICT). Increased digitalization has amplified ICT risks, creating extreme cloud concentration vulnerabilities. For instance, the top five cloud service providers control over 80 percent of the market , and a major operational incident at just one of the top three providers could immediately impact up to 53% of globally systemically important banks.
To address this critical blind spot, the European Union's Digital Operational Resilience Act (DORA) brings a broad range of entities under a single regulatory umbrella. Crucially, DORA explicitly applies to critical ICT third-party service providers—such as cloud computing, data analytics, and data center providers—treating their operational resilience as heavily as traditional safety and soundness.
This paper frames DORA as a vital step in solving an "old new" network problem. By introducing ICT providers into the traditional network models of financial institutions and FMIs, stakeholders can effectively map node interdependencies, identify critical vulnerabilities, and simulate severe stress scenarios. Ultimately, adopting a comprehensive network perspective is essential for authorities and financial entities to mitigate systemic concentration risks and ensure the continued stability of the financial system
