How the Digital Operational Resilience Act (DORA) Impacts Payment Testing

Shockwaves from the July 19, 2024, CrowdStrike outage (which you can read more about in our blog Outage Outrage: Lessons from the CrowdStrike Failure) and the resultant firestorm still reverberate throughout the global marketplace, especially within the financial services industry.  

Unprecedented in terms of its scale, impact, and cost, the incident has been a wake-up call for both private industry and government regulators, highlighting the risks associated with the rapid expansion of deeply embedded and interconnected digital services, as well as the lack of investment in operational resiliency and IT infrastructure maintenance. 

This fabric of interconnected networks, computer systems, and applications certainly helps facilitate global communications, commerce, and the efficient exchange of data, benefiting organizations of all sizes and from all corners of the globe. 

However, as we saw from the CrowdStrike event, this interdependency on shared infrastructure and services carries significant systemic risk, effectively creating a “house-of-cards”, where an outage in any one of the shared facilities or services can quickly cascade across all connected entities, causing widespread impacts. 

And while the CrowdStrike debacle was unprecedented in terms of its rapid and widespread impact on international business, it was not an isolated incident. Research by industry consultancy PagerDuty highlights the growing frequency of these IT incidents, citing a 43% increase in customer-facing events during the past year. 

The ThousandEyes website warns: “As we review the 2024 outage data, we see that the percentage of cloud service provider (CSP) outages has continued increasing - though at a more accelerated rate than seen in recent years. Application outages also remain on an upward trend.” 

Not surprisingly, the increasing number and escalating costs of these occurrences, as well as their potential to impact national economies and international commerce, have caught the attention of regulators across the globe. 

Meet DORA (The Digital Operational Resilience Act) 

Even before the CrowdStrike incident, operational resilience was already a front-burner issue for regulators across the European Union. They recognized that banks and other financial service providers have become increasingly dependent on Information and Communication Technology (ICT) to deliver their products and services, making them extremely vulnerable to IT outages and cyber-attacks. 

As evidenced so clearly by CrowdStrike, these ICT risks can - and do - lead to disruptions in the delivery of financial services to both consumers and businesses, with the potential to disrupt commerce across broad business sectors, countries - even the entire European region. 

The Digital Operational Resilience Act, or DORA, was first proposed by the European Commission - the executive branch of the EU - back in September 2020 as part of a broad digital financial package that also includes initiatives for regulating crypto-assets and enhancing the EU's overall digital finance strategy. 

Specifically, the DORA legislation has been enacted to improve the operational resilience of European financial institutions. DORA mandates a wide range of requirements, such as incident reporting, business continuity planning, and cybersecurity risk management, intended to enhance the security and stability of the financial sector. 

DORA recognizes that while many financial services companies conduct some resiliency testing, they often do not have adequate processes, controls, or documentation to support this testing. Once DORA takes effect in 2025, financial institutions must show an appropriate level of management, governance, and oversight of their testing and other critical components necessary to achieve and maintain operational resilience. 

DORA is a significant step towards strengthening resilience across the European Union, with detailed guidelines for corporate behavior, rules for enforcement, as well as a framework for fines and penalties. 

The cost of non-compliance?  

DORA gives the European Supervisory Authorities (ESAs) the power to impose fines for noncompliance. Companies that ignore or willingly violate DORA’s requirements can be penalized with fines of up to 2% of their total annual worldwide revenues. Individuals can be fined up to €1,000,000.

The third-party providers that service the financial services community are subject to even larger fines for noncompliance - up to €5,000,000. For third-party individuals, the maximum fine is €500,000. 

Will the USA be Next? 

Is there potential for legislation similar to DORA to be enacted in the USA? While there is growing recognition of the need to improve operational resilience in the American financial sector, the size and scale of the American banking industry, our state and federal regulatory frameworks, as well as the political landscape will certainly impact any steps taken. 

However, it may be worth noting the following: 

Be Prepared for the Worst With Automated Payment Testing

There can be no doubt that IT outages and cyberattacks are a serious and growing threat to every business, in Europe and across the globe. For companies that provide financial services and payment processing, any outage, no matter the cause, will be devastating, to your customers, your brand, and your bottom line. 

CrowdStrike has clearly illustrated these risks and how critically important it is for every business to develop the appropriate strategies to protect its customers, its employees, and its shareholders.  

A key component in that strategy needs to be testing automation, which greatly increases the speed at which tests can be run, reducing the time required to complete test cycles and respond to rapidly evolving IT incidents or cybersecurity threats. Testing speed, accuracy, and coverage create an invisible shield that helps safeguard your organization from these threats and keeps you ahead of your competition. 

Test automation also helps to minimize the risk of human error, ensuring that all tests are performed completely, consistently, and accurately every time - improving the security, reliability, and quality of testing operations. 

Paragon Application Systems has been delivering innovative testing solutions to the largest and most sophisticated financial services companies worldwide for more than 30 years. We partner with banks, card networks, retailers, and payment processors to ensure their payment systems are always functional, reliable, and running at peak efficiency. 

When it comes to the issue of payment testing, preparation is key. Companies that invest in modern payment testing solutions will be able to optimize their testing operations, enabling them to respond more quickly to incidents and outages and to be prepared for any rules and regulations that are almost sure to come in the future. 

The team at Paragon can help review your current payment testing strategy, providing advice and guidance on testing capabilities that will help your organization prevent unwanted outages and prepare for future legal and regulatory changes. Contact us today to learn more.