DORA 2025 - What does it mean for SaaS in the financial services industry?

With DORA coming into effect today, Thomas Müller, CEO and co-founder of Rivero, explains what it means for SaaS in the financial services industry.

The EU’s Digital Operational Resilience Act (DORA) is certainly set to bring significant change to businesses operating within the financial sector. Scheduled to take effect today, financial institutions and their critical third-party technology service providers must implement strong guidelines that meet the requirements outlined by the mandate. For software as a service (SaaS) providers within the financial sector, these changes mean they must ensure they have systems in place to facilitate regular risk assessments, and frequently test to ensure reliability, security, and transparency across their IT infrastructure.

DORA’s primary target are financial institutions, which may lead some SaaS providers to believe that DORA is not a regulation they need to concern themselves with. After all, SaaS covers a very wide range of solutions. If a SaaS product does not handle any kind of finance operations or payments then its provider may not consider it applicable for the DORA regulation guidelines. This couldn’t be further from the truth. DORA affects any and all businesses with a connection to a financial institution, regardless of what the technology does.

As a part of a financial institutions’ operational resilience measures, it requires that any possible channel into the system of the financial institution be checked for vulnerabilities - whether it be internal or via a third party, which in this case would be the SaaS provider. Criminals who seek to circumvent security measures will look for any entry way into a network; no matter how far removed a piece of technology or software program is from its users industry, if it is in use by a financial institution then it must also be compliant with DORA. If a financial institution falls out of compliance because of a SaaS product, the provider of that SaaS product is just as liable for facing fines.

In order to fall into compliance with DORA, SaaS providers must show a competence in several key compliance areas, from assessing and mitigating ICT-related risks on a constant basis to having a heightened focus on cybersecurity, including protections for data integrity, confidentiality, and availability. A SaaS provider must demonstrate robust risk management practices and perform regular resilience testing for critical services, both their own and those of their customers. Lastly, SaaS providers must also report incidents to both the financial institutions they partner with and the authorities immediately, with continued updates outlining the steps taken to mitigate the threat until it has been fully analysed and concluded.

Meeting all of these requirements may seem like a challenge to SaaS providers, who have to adapt their incident management frameworks and allocate additional resources towards ensuring these steps are taken. Adhering to these standards will undoubtedly have a financial and operational impact on a SaaS provider but it’s a must in order to avoid the far worse consequences that will come as a result of failing compliance. 

With all that said above, becoming compliant with DORA is not just to avoid a negative outcome - it also helps to build trust and credibility in the financial industry. For customers to feel comfortable investing into a provider’s services - often essential to their own operations - they require a strong relationship built upon reliance and trust. Compliance with DORA has simply become a competitive advantage.

For its own use, increased resilience to cyber threats and ICT exploits allows the SaaS providers to ensure a more stable operation, avoid instances of downtime and course-correct when they become unavoidable. Preventing downtime also avoids direct revenue loss, customer dissatisfaction, and maintains a positive and impactful brand reputation.

For SaaS providers, DORA regulations do more than boost their competitiveness and brand reputation in a crowded market, it also lays the foundations for future proofed operations. By being adaptable and implementing DORA’s regulatory frameworks before required to do so, providers can foster agility, scalability and offer enhanced security and resilience to customers interested in utilising their platform.

Implementing a compliant approach to security that adheres to DORA prior to its requirement signals to financial institutions and potential customers that the SaaS provider is concerned with their security beyond the required level. This shift increases customer trust and loyalty and helps to legitimise the provider in the SaaS space by producing its profile as a trusted partner.

Small actionable steps help a provider reach their goal of implementing DORA’s regulations. Using a third-party to complete a DORA-readiness assessment, providers can identify actionable areas of improvement to ensure overall compliance and readiness.

Additionally, setting up of staff training and investing in enhanced cybersecurity measures can not only improve their readiness but also help them take advantage of reduced set-up costs, as when DORA regulations come into force, the cost of these services are likely to increase with demand. Finally, implementing continuous monitoring and incident response frameworks from the earliest possible point helps to position a provider as a key partner in the post DORA-implementation landscape.

A proactive approach might just be the easiest and most cost effective way to adapt to DORA regulations. This approach gives more time for employees and the wider business to adjust to the changes needed by them, making less abrupt changes and actively avoiding staffing issues.

Compliance with DORA is both a necessity and a strategic opportunity for growth in the finance industry. Staying updated with regulatory changes and continuously evolving operational practices is crucial for long-term compliance, resilience and success.

About Thomas Müller

Thomas Müller is the CEO and co-founder of Rivero, a Swiss FinTech company offering SaaS solutions for fraud recovery and dispute management as well as

payment scheme compliance management. Thomas co-founded Rivero in 2019 and has been responsible for building the initial product and leading the engineering team. Thomas previously worked at Viseca and earlier Hewlett-Packard, where he served as a Senior Security Consultant.

About Rivero

Rivero is a fast-growing European company and a Visa Fintech Partner specialising in streamlining payment operations within the highly regulated payments industry. It focuses on offering unique SaaS solutions for dispute management, and payment scheme compliance.