Artem Lyashanov: how the DORA cybersecurity standard will affect fintech in the EU and Ukraine

On January 17, 2025, the implementation of the new Digital Operational Resilience Act (DORA) was completed in the EU. The regulatory act establishes a number of important requirements that must be followed by financial institutions both in the European Union itself and companies with a different registration, but which provide their services on its territory. Including Ukrainian ones. A fintech entrepreneur told us about the main provisions of DORA and a comparison with the regulatory initiatives implemented by Ukraine Artem Lyashanov.

What is this document about?

We analyzed the main provisions of this document and identified five aspects that companies should pay attention to:

1. Industrial risk management. According to the document, companies operating in the field of information and communication technologies must develop, describe and maintain a risk management system that includes: constant monitoring, vulnerability assessment, response and stabilization of consequences.
2. Incident reporting. Complementing the previous point: market participants should develop a clear system for prompt reporting of digital security incidents to relevant authorities;
3. Testing and resilience. Under DORA, market participants must conduct regular stress tests, testing various disruption scenarios;
4. Third-party risk management. Provides for regular checks of counterparties and providers, as well as regular audits;
5. Information sharing. There is no explicit requirement on this point. However, DORA actively encourages the exchange of information on threats to digital resilience between market participants and the regulator.

"DORA is primarily a system of safeguards that the European regulator establishes for the payment business. This concerns banks, payment service providers, as well as technical infrastructure operators. This regulatory framework has been preparing (and now requires) cybersecurity reliability from financial services market participants since January 2024. It should be achieved through action plans that are built around a number of requirements." – says Artem Lyashanov.

How important is the act?

According to the speaker, any regulatory norm arises not from a desire to overburden or complicate business, but primarily with the aim of reducing losses due to cyber threats. This is an absolutely logical step: according to the forecast of Lloyds of London, the consequences of a cyberattack on one of the main payment systems in a five-year perspective can amount to up to 3,5 trillion dollars, and the annual profile report IBM Cost of Data Breach Report states that one such penetration "costs" the affected business an average of 4,45 million.

That is why non-compliance with DORA is subject to a fine of 2% of total annual turnover (not only in the EU), and in special cases the amount can reach up to 5 million euros.

“Fintech is a dynamic field that lives by simplifying financial processes, but at the same time guarantees the security of finances in the digital world. With the development of opportunities, of course, threats also grow. Each negative scenario is reflected not only in one specific business, but in the industry as a whole: companies have problems with investments. That is why the task of DORA is to unify and constantly update a single system of financial monitoring rules on the EU market, which will reduce risks, and therefore preserve profits.”, – continues Artem Lyashanov.

Are similar processes taking place in Ukraine?

The aspects raised within the framework of DORA are regulated by the following documents:

1. The Law of Ukraine “On the Basic Principles of Ensuring Cybersecurity in Ukraine”;
2. Regulation "On qualified providers of electronic trust services included in the Trusted List upon submission of a certification center";
3. Regulation "On monitoring compliance by banks with the requirements of legislation on information security, cyber protection and electronic trust services";
4. Regulation "On Authentication and Application of Enhanced Authentication in the Payment Market".

The fintech expert believes that Ukrainian legislation covers all the necessary requirements of European legislation quite well, but in a more decentralized manner.

"9 out of 10 security problems occur due to the human factor. This rule is relevant for almost all markets in the world, only in different manifestations. That is why the rules and regulations in all countries with a developed financial technology market will be almost identical - because they are all written either based on international experience or on their own mistakes. The only thing that matters is the specifics of the work of regulators, which must be taken into account in each of the new markets.", – summarizes Artem Lyashanov.