APAC financial firms are getting ready for the implications of the European Union’s operational resilience rules, otherwise known as the Digital Operational Resilience Act (DORA).
DORA is EU regulation, but its rigorous mandates are already driving regulators’ expectations and driving operational resiliency in critical APAC markets, such as Singapore, Australia and India, as well as Hong Kong.
DORA, which became effective in January 2023 (full phase-in January 17, 2025), intends to provide a comprehensive approach to digital operational resilience for the financial services industry.
Its five core functions – ICT risk managment, third party oversight, resilience testing, incident reporting and information sharing and intelligence – are creating new global norms in security and operations continuity.
Recent GDPR posturing is however increasingly positioning DORA for APAC institutions as part and parcel of a broader European based compliance hoop to jump through DORA and instead as an underpinning architecture for digital resilience.
The approach is aimed at responding to the region’s fast-digitalising and inter-connected financial ecosystems, which, while underpinning innovation, are facing the risk of highly sophisticated cyber disruptions. Regional authorities are tightening up their mandates, taking DORA’s lead to focus on issues such as technology risk management and enhanced incident disclosure.
In response to these changing, DORA-influenced directives, banks in APAC are making considerable investments in governance, risk and compliance (GRC) solutions. This can be automated GRC platforms, AI driven threat detection tools or continuous monitoring solutions.
Reassess and strengthen third-party risk management frameworks to ensure that ICT service providers are subject to similar robust digital operational resilience requirements, and in doing so, address systemic supply chain risks.
The trend toward regulatory harmonisation in APAC, demonstrated through guidance from MAS, Australia’s CPS 230, and augmented reporting requirements in India and Hong Kong, shows that direction of travel is apparent here.
APAC financial institutions, by proactively embracing DORA guidelines, are seeking to future proof against not only regulatory expectations, but also bolster cyber-resilience, reduce exposure to risk, and build longer term interoperability across the global financial ecosystem.
