With every new act or legal change comes uncharted territory. To help you navigate what the EU’s Digital Operational Resilience Act means for tax operations and financial institutions is Richard Sampson, Chief Revenue Officer at Tax Systems.
As tax operations increasingly rely on diverse technologies for data storage, compliance and real-time reporting, security remains vital to safeguarding sensitive financial information, maintaining regulatory compliance and protecting against cyberthreats. With 2024 witnessing a dramatic increase in cyber-breaches, keeping security tight will remain a hot topic in 2025.
With the introduction of the Digital Operational Resilience Act (DORA) in the EU, financial institutions, including tax service providers, are now required to ensure robust cybersecurity measures. While not all service providers are required to be DORA-compliant, many are subject to additional scrutiny as they supply DORA-regulated entities. In addition, DORA requires financial institutions to share information about cyberthreats and vulnerabilities to improve collective security.
In terms of its relevance to UK companies, the situation is analogous to other pieces of EU legislation, such as GDPR. According to guidance from PwC, DORA applies to ‘more than 22,000 financial entities and ICT service providers operating within the EU, as well as the ICT infrastructure supporting them from outside the EU.’
DORA came into force in January this year and aims to enhance the digital resilience of financial institutions and ICT third-party service providers, focusing on their ability to withstand cyberattacks and the potential disruption they bring, as well as other events requiring disaster recovery (DR). Organisations found to have been in breach face penalties of up to two percent of total worldwide revenue, with third-party providers liable for fines of up to €5 million. Penalties can also apply to organisations if they fail to report an incident.
DORA also has a specific category for ‘Critical Third-Party Providers’ (CTPPs), which are either of systemic importance to a high number of financial entities, support their critical functions or are difficult to replace. In each case, European Supervisory Authorities (ESAs) will monitor these providers, conduct inspections and impose penalties for non-compliance.
Exploring the implications for ICT suppliers
To understand the impact of DORA on their organisations and customers, financial entities and their IT suppliers should focus on a range of key activities, including:
- Risk assessment and due diligence: Before agreeing on a contract, the financial organisation should conduct due diligence to ensure that the IT vendor is suitable and meets information security standards.
- Continuity and resilience: Assess the risk management and business continuity measures of each IT vendor and ensure that they are effective in ensuring the operational resilience of the financial organisation.
- Subcontractors: The financial entity should request information on the use of subcontractors used by the IT vendor.
- Contractual requirements: DORA provides a comprehensive overview of the requirements that the provisions in an agreement between a financial entity and an IT vendor must meet.
- Information register: Financial entities are required to establish a detailed information register in which all contracts with IT suppliers must be recorded.
DORA also sets out compliance criteria for the contracts used by IT suppliers and financial institutions. To determine which contractual requirements apply, it is first important to analyse whether the IT service qualifies as a ‘critical or important’ function. Under DORA, a ‘critical or important function’ is defined as a function whose disruption would significantly harm the financial performance of a financial organisation. These are the functions and processes that cause the organisation’s operations to stop if disrupted. Examples include the processing of payments, the administration of transactions and records and the payment of benefits. If a critical or important function is involved, additional requirements apply to the agreement.
On an operational level, DORA focuses on a range of key requirements. Starting with risk and incident management, IT suppliers must carry out risk assessments, implement mitigation strategies and focus on resilience. They are also obliged to track, manage and report IT incidents using automated reporting where possible. Given DORA’s heavy focus on resilience, IT suppliers are also required to perform regular resilience testing, including continuity planning and scenario-based assessments. This includes maintaining comprehensive documentation and evidence of resilience measures.
Additionally, IT suppliers must update their Master Service Agreements (MSAs) to reflect the requirements set out in DORA and establish robust mechanisms for responding to audits and questionnaires. Suppliers should enhance the frequency of vulnerability scanning, ideally deploying automated solutions and developing detailed mitigation plans to address potential disruptions. This should be backed by a comprehensive reporting mechanism using Key Performance Indicators (KPIs) to demonstrate ongoing compliance. As part of the overall compliance process, DORA-specific staff training is essential to ensure that compliance is robust and effective.
The workload required to meet these additional safeguards is significant – both in terms of time and resource – which inevitably has a cost implication for both organisations and vendors. All parties concerned will be looking at the best way to balance the increased levels of service with the constant drive for efficiency savings, but whilst compliance with DORA may come at an increased price, arguably the price of non-compliance is far greater.
Ultimately, DORA sets out a wide range of important responsibilities that, if they haven’t been addressed already, should be actioned by IT suppliers as a matter of importance. Those who fail to act not only put the resilience of their infrastructure at risk – and, by definition, that of their customers – but also open themselves up to potentially expensive and highly damaging enforcement action in the years ahead.
The global banking industry is finally catching on to Artificial Intelligence (AI), digital and cloud transformation, thanks partly to digital upstarts that have found innovative ways to grow amidst challenging markets. For example, digital-only and some data-driven regional banks have grown their deposits by as much as ten percent. In contrast, traditional banks have experienced deposit declines of three to five percent over the same period, according to research by McKinsey. Top-performing institutions have excelled by focusing on relationship banking and superior digital service in consumer finance while using data-driven interest rate pricing as another example.
The global banking and financial services sector has taken note of these opportunities. It is undergoing rapid digital transformation driven by the adoption of AI solutions. According to The Bank of England, 75% of financial organisations were using AI in 2024, with a further ten percent planning to use this technology over the next three years.
However, this surge towards using AI risks being undermined by a perennial problem in enterprise IT – a proliferation of siloed data linked to legacy and modern applications and systems. Whilst much of the impetus for AI in banking is to improve operations and customer service by collecting and analysing data, the reality is that for too many banks, their data sources are fragmented and incomplete.
So, how can banks ensure their journey to effective AI usage is not delayed or derailed?
The obstacles to effective AI-driven enterprise data integration
Firstly, business and technology leaders within banks must acknowledge the barriers to AI deployment. Whilst it is one of several issues, including low trust, a lack of explainability in the technology, and integration issues, siloed data that is poor quality and incomplete is the most fundamental problem to correct.
How data is siloed compounds the challenges of banks getting their AI-driven enterprise data right. A data silo is a collection of information that is stored within a specific application, department, or system that is not easily accessible or shared across an organisation. Data silos often emerge as financial services organisations add specialised tools to solve specific business challenges. Here, each tool generates and stores its data, leading to greater fragmentation and more data that is held in silos.
As well as this, as banks scale in size and add more applications to their back-end systems, it creates even more data stored in its hubs within the business. This continues to snowball as financial organisations rely on multiple third-party platforms, all of which create their own data and store it in their systems. There is a lack of inter-collaboration between all parties, the bank itself and external partners. Reltio’s 2024 Data Leader Survey found that 82% of respondents said that over 40% of their organisation’s data is derived from over 50 applications.
Consequently, data silos prevent banks from gaining a complete, and therefore accurate, view of their operations and their customers. As such, this makes it challenging for these financial services organisations to harness data for AI-driven insights, efficient decision-making and seamless customer experiences.
Overcoming the challenges with a unified data strategy
No matter how ambitious a bank’s AI plans are, they often find their organisations are stalled by inconsistent and fragmented data. So, whilst financial services organisations pursue AI-driven transformation efforts, many remain entangled in a web of disconnected data, jeopardising their success. Even those businesses with mature data governance frameworks face persistent data silos that hinder their AI initiatives.
So, as banks continue to spend their ever-tightening budgets on digital transformation, they must ensure that they are making the most of these efforts. The Global Banking Benchmark Study uncovered that 32% of executives said budget constraints are a significant barrier to digital transformation. So, it is important for banks to break down these data silos to improve their AI-driven initiatives. Not only that, but financial services organisations must also ensure that the data, which is fed into these models are high quality, complete and trusted.
Therefore, financial services organisations must have a strong data unification strategy, or they will be at risk of their data silos becoming that much more troublesome as they continue to scale and grow. It will also have a significant impact when it comes to providing service to customers. This is because data which is stored in silos will not give that customer service agent a full view of the customer and so will not be able to offer personalised or proactive service. As such, all data about each customer should be stored in one place which is easily accessible.
Banks should focus on driving customer-centric initiatives, with a strong focus on customer 360 views to enhance experiences and create operational efficiency. So, it is gratifying that most of the respondents in the aforementioned survey of data leaders across all sectors, including banking, have plans to upgrade data architecture within the next 12 months to improve the unification and management of data across their enterprise.
As financial services organisations continue to grow, scale and add more third-party applications, their siloed data issues will only continue if banks scatter valuable information across increasingly fragmented sources. With a modern data unification tool, banks can consolidate data and deliver trusted and timely insights to drive best-in-class customer service. As banks continue to further their AI-driven digital transformation efforts, only an integrated data unification solution will unlock AI’s full potential and empower banks to thrive.
