Digital Operational Resilience Act (DORA) and similar global ICT risk management frameworks require a structured approach that balances theory, empirical evidence, and critical analysis.

International Journal of Financial Innovations & Risk Management (IJFIRM)
2026 – Volume 2 – Issue 2 – Pages 163–184

Authors:

Imran Hussain Shah

University of Lahore, Islamabad, Pakistan

Abstract

The increasing reliance on digital infrastructures in the financial sector has heightened vulnerability to cyber threats, prompting regulators to strengthen operational resilience requirements. This study investigates the impact of ICT sectoral exposure on the incidence of cyber incidents in the European Union, with a specific focus on the Digital Operational Resilience Act (DORA) framework and its global comparators. Using panel data from ENISA incident reports (2023–2024) covering EU and neighboring countries, we analyze the relationship between the proportion of incidents affecting banking, public finance, and individual sectors. Ordinary Least Squares regression reveals that banking sector exposure (% of incidents) is a statistically significant predictor of total incident counts (p < 0.001), whereas public finance and individual exposure proportions are not significant drivers. Multicollinearity diagnostics (VIF < 2.3), heteroskedasticity tests (p > 0.26), and serial correlation tests (p > 0.09) confirm the robustness of the model. The findings highlight the critical role of targeted resilience measures in the banking sector, suggesting that DORA’s emphasis on ICT risk testing, incident classification, and third-party oversight aligns with empirical risk concentrations. A comparative discussion with frameworks such as the US FFIEC CAT and the APAC MAS TRM shows that, while global regimes share similar principles, DORA’s legally binding scope and harmonized EU-wide enforcement mechanisms provide a more comprehensive governance structure. The study contributes to the literature by offering empirical evidence to guide policymakers, regulators, and financial institutions in prioritizing ICT risk management strategies, particularly in sectors with disproportionate exposure to cyber threats.

Keywords
Digital Operational Resilience Act; ICT risk management; cyber incidents; financial sector resilience; ENISA; EU regulation; banking cybersecurity; operational risk; regulatory compliance; global ICT frameworks

7. References

  1. Alexander, D. and Sheedy, E., 2021. The governance of operational risk. Journal of Risk Management in Financial Institutions, 14(3), pp.233-245.
  2. Allen, F., Gu, X. and Jagtiani, J., 2022. Fintech, BigTech, and the future of financial services. Journal of Financial Services Research, 61(2), pp.195-210.
  3. Arner, D.W., Barberis, J. and Buckley, R.P., 2020. The evolution of fintech: A new post-crisis paradigm?. Georgetown Journal of International Law, 47(4), pp.1271-1319.
  4. Basel Committee on Banking Supervision (BCBS), 2021. Principles for operational resilience. Bank for International Settlements, Basel.
  5. Basel Committee on Banking Supervision (BCBS), 2022. Principles for the sound management of operational risk. Bank for International Settlements, Basel.
  6. Battisti, E. and Brem, A., 2021. The future of fintech and banking: A systematic literature review. Technological Forecasting and Social Change, 166, p.120648.
  7. Bouveret, A., 2018. Cyber risk for the financial sector: A framework for quantitative assessment. IMF Working Paper WP/18/143.
  8. Brauchle, J., 2021. ICT resilience in financial services: Challenges and opportunities. Journal of Digital Banking, 5(3), pp.215-226.
  9. Broeders, D. and Prenio, J., 2018. Innovative technology in financial supervision. FSI Insights on policy implementation, (9), pp.1-29.
  10. Carletti, E., Claessens, S., Fatás, A. and Vives, X., 2020. The bank business model in the post-COVID-19 world. VoxEU.org eBook.
  11. Cihak, M. and Sahay, R., 2020. Next-generation financial sector development. IMF Staff Discussion Note SDN/20/05.
  12. Committee on Payments and Market Infrastructures (CPMI), 2021. Reducing the risk of wholesale payments fraud. Bank for International Settlements, Basel.
  13. De Haan, J. and Van Oordt, M.R.C., 2018. Cyber risk and the financial system: A review of events and policy. Journal of Economic Surveys, 32(5), pp.1189-1211.
  14. Demirgüç-Kunt, A., Klapper, L., Singer, D., and Ansar, S., 2022. The Global Findex Database 2021. World Bank, Washington, DC.
  15. Didenko, A., 2021. Digital operational resilience: The EU framework. Journal of Banking Regulation, 22(3), pp.203-217.
  16. EBA, 2021. Guidelines on ICT and security risk management. European Banking Authority, Paris.
  17. EBA, 2022. Guidelines on outsourcing arrangements. European Banking Authority, Paris.
  18. ECB, 2020. Cyber resilience oversight expectations for financial market infrastructures. European Central Bank, Frankfurt.
  19. ECB, 2022. Results of the EU-wide stress test. European Central Bank, Frankfurt.
  20. ENISA, 2021. Threat Landscape for the Financial Sector. European Union Agency for Cybersecurity, Athens.
  21. ENISA, 2022. Guidelines on ICT risk management in finance. European Union Agency for Cybersecurity, Athens.
  22. European Commission, 2020. Proposal for a regulation on digital operational resilience for the financial sector (DORA). Brussels.
  23. European Commission, 2022. EU Digital Finance Strategy. Brussels.
  24. FSB, 2020. Effective practices for cyber incident response and recovery. Financial Stability Board, Basel.
  25. FSB, 2021. Enhancing third-party risk management and outsourcing. Financial Stability Board, Basel.
  26. Gai, K., Qiu, M. and Sun, X., 2018. A survey on FinTech. Journal of Network and Computer Applications, 103, pp.262-273.
  27. Gomber, P., Kauffman, R.J., Parker, C. and Weber, B.W., 2018. On the fintech revolution: Interpreting the forces of innovation, disruption, and transformation in financial services. Journal of Management Information Systems, 35(1), pp.220-265.
  28. Goodhart, C. and Lastra, R., 2018. Populism and central bank independence. Open Economies Review, 29(1), pp.49-68.
  29. Gozman, D., Hedman, J. and Olsen, K.S., 2018. Open banking: Emergent roles, risks & opportunities. Journal of Information Technology, 33(3), pp.188-203.
  30. Hałaburda, H., Gans, J.S. and Gandal, N., 2021. FinTech market structure and regulation. Journal of Economics & Management Strategy, 30(1), pp.3-27.
  31. IMF, 2021. Global Financial Stability Report. International Monetary Fund, Washington, DC.
  32. IMF, 2022. Cybersecurity for the financial sector: Policy considerations. International Monetary Fund, Washington, DC.
  33. IOSCO, 2021. Principles on outsourcing. International Organization of Securities Commissions, Madrid.
  34. IOSCO, 2022. Cyber resilience for financial market infrastructures. International Organization of Securities Commissions, Madrid.
  35. Kopp, E., Kaffenberger, L. and Wilson, C., 2017. Cyber risk, market failures, and financial stability. IMF Working Paper WP/17/185.
  36. Laeven, L. and Levine, R., 2018. Bank governance, regulation, and risk taking. Journal of Financial Economics, 130(2), pp.381-418.
  37. Lo, A.W., 2019. Adaptive markets and the new world order. Financial Analysts Journal, 75(2), pp.18-29.
  38. Moloney, N., 2021. EU financial market regulation post-Brexit. Oxford Review of Economic Policy, 37(4), pp.668-690.
  39. OECD, 2021. Digital disruption in banking and its impact on financial stability. Organisation for Economic Co-operation and Development, Paris.
  40. OECD, 2022. Enhancing operational resilience in the financial sector. Organisation for Economic Co-operation and Development, Paris.
  41. Pavlidis, G., 2020. Operational resilience in the digital era. Journal of Financial Regulation and Compliance, 28(4), pp.423-438.
  42. PwC, 2021. Operational resilience in financial services. PricewaterhouseCoopers, London.
  43. PwC, 2022. Digital operational resilience: Navigating DORA compliance. PricewaterhouseCoopers, London.
  44. Radanliev, P., De Roure, D., Nurse, J.R.C. and Burnap, P., 2020. A framework for cyber resilience assessment in the financial sector. Technological Forecasting and Social Change, 161, p.120248.
  45. Schinasi, G.J., 2004. Defining financial stability. IMF Working Paper WP/04/187.
  46. Schmieder, C., Puhr, C. and Hasan, I., 2011. Next generation stress testing for banks. IMF Working Paper WP/11/83.
  47. Sironi, P., 2021. Financial market transparency and stability in the digital era. Journal of Risk Finance, 22(5), pp.521-537.
  48. Stulz, R.M., 2019. Risk management failures during the financial crisis. Journal of Financial Economics, 104(3), pp.392-412.
  49. Tanda, A. and Schena, C.M., 2019. FinTech, BigTech and banks: Digitalisation and its impact on banking business models. Springer Nature, Cham.
  50. UNCTAD, 2021. Technology and innovation report. United Nations Conference on Trade and Development, Geneva.
  51. Van der Lugt, C., 2020. Supervisory technology and operational risk. Journal of Banking Regulation, 21(4), pp.289-301.
  52. Vives, X., 2019. Digital disruption in banking. Annual Review of Financial Economics, 11, pp.243-272.
  53. Wagner, W. and Marsh, I.W., 2018. Financial sector resilience: Theory and evidence. Journal of Financial Intermediation, 33, pp.1-15.
  54. Weber, R.H. and Staiger, D.N., 2019. Artificial intelligence in financial services. Computer Law & Security Review, 35(4), pp.105322.
  55. WEF, 2020. Cyber resilience in the financial services ecosystem. World Economic Forum, Geneva.
  56. WEF, 2021. Principles for board governance of cyber risk. World Economic Forum, Geneva.
  57. Wyman, O., 2022. Strengthening resilience in financial services. Oliver Wyman, New York.
  58. Zetzsche, D.A., Buckley, R.P., Arner, D.W., and Barberis, J., 2020. Regulating digital finance. Fordham Journal of Corporate & Financial Law, 25(1), pp.31-94.
  59. Zingales, L., 2017. Towards a political theory of the firm. Journal of Economic Perspectives, 31(3), pp.113-130.
  60. Zwilling, M., 2022. ICT risk management maturity models for the financial sector. Journal of Financial Transformation, 55, pp.87-101.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by