Artem Lyashanov: how DORA cybersecurity standard will affect fintech in the EU and Ukraine
January 17, 2025 was a deadline for the implementation of the new Digital Operational Resilience Act (DORA) in the EU. Fintech entrepreneur Artem Lyashanov told us about the main requirements of DORA and compared them with the regulatory initiatives implemented in Ukraine.
What is this document about
We look through this document and highlighted five aspects that companies should pay attention to:
-
Industrial risk management. According to the document, companies operating with information and communication technologies must develop, describe and maintain a risk management system that includes: constant monitoring, vulnerability assessment, response and stabilization.
-
Incident reporting. Moreover to the previous point: market participants must develop a clear system of operational reporting of incidents regarding digital resilience violations to the authorities;
-
Testing and resilience. According to DORA, market participants must conduct systematic stress tests with the various breach scenarios;
-
Third-party risk management. With recurrent checks of counterparties and providers, as well as ongoing audits;
-
Information exchange. There’s no clear requirement on this point. However, DORA actively encourages the exchange of information on threats to digital resilience between market participants and the regulator.
“DORA is primarily a system of safeguards the European regulator establishes for the payment business. It should be achieved through action plans that are built around a number of requirements,” says Artem Lyashanov.
How important is this act
According to the speaker, any additional regulatory norm arises not because of a desire to overburden or complicate business, but primarily with the goal of reducing losses due to cyber threats. This is a completely understandable concern: the annual IBM Cost of Data Breach Report claims that one such penetration "costs" the affected business around $4.45 million.
That’s why DORA violations will be sanctioned with 2% of the global annual turnover fine , and in special cases the amount can reach up to 5 mln EUR.
“Fintech is a dynamic field that flourishes thanks to the simplifying of financial processes – with strong security guarantees for money in the digital world. But the development of opportunities, of course, raises possible threats. That's why the task of DORA is to unify and constantly update a single system of financial monitoring rules on the EU market, which will reduce risks, and therefore preserve profits”, – continues Artem Lyashanov.
Ukrainian perspective for DORA regulation
The security and resilience aspects from DORA are already used in number of documents:
-
The Law of Ukraine “On the Basic Principles of Ensuring Cybersecurity in Ukraine”;
-
Regulation “On qualified providers of electronic trust services included in the Trusted List upon submission of a certification center”;
-
Regulation “On monitoring compliance by banks with the requirements of legislation on information security, cyber protection and electronic trust services”;
-
Regulation “On authentication and the use of enhanced authentication in the payment market”.
Fintech expert believes that Ukrainian legislation covers most of the necessary requirements of the EU quite well, but in a more decentralized manner.
“9 out of 10 of all security problems is a result of the human factor. This rule is relevant for almost all markets in the world, only in different manifestations. That’s why the rules and regulations in all countries with a well-developed fintech market will be almost identical – because they are all written either on the basis of international experience or on their own mistakes. Only the specifics of the work of regulators are important, which must be taken into account in each of the new markets,” – Artem Lyashanov summarizes.