DORA for the Contact Centre: Building Resilience in Financial Services

Our world is increasingly reliant on digital infrastructure. This delivers the businesses that operate essential services tremendous corporate and customer experience (CX) benefits. But it also exposes them to risk. As a critical infrastructure sector, financial services is particularly at risk from cyber-threats and IT failure. That’s why the EU is introducing the Digital Operational Resilience Act (DORA).  

In a departure from the norm, there’s a heavy focus in DORA not only on the financial services firms themselves, but also their ICT suppliers. That will make finding the right partnerships crucial to managing cyber and compliance risk going forward.  

With just a few months to go before the compliance deadline, financial services firms can’t afford to forget about the Contact Centre.  

Why do we need DORA?  

The financial services sector has arguably much more to lose from IT failures and cyber-compromise than adjacent verticals. On the one hand, its businesses store huge troves of sensitive personal and financial information, and as such represent a popular target for data thieves and extortionists. On the other, they run critical services which – if interrupted – could have a major societal, economic and potentially even national security impact. 

These concerns are far from theoretical. An International Monetary Fund (IMF) report recently revealed that more than 20,000 attacks on the sector over the past 20 years have caused losses exceeding $12bn. The recent CrowdStrike outage, which impacted millions of global Windows endpoints and caused disruption at several UK banks, is a timely reminder that sometimes simple negligence rather than malice can have a similarly serious impact. 

What DORA demands  

That’s why, from the beginning of 2025, over 22,000 financial entities and ICT service providers operating within the EU, as well as any ICT infrastructure supporting them from outside the bloc, will need to comply with DORA. Those found in violation face fines of up to 2% of global annual turnover, while individuals could be fined a maximum of €1m. So what do they need to put in place? 

The high-level focus is on best practices across IT risk management and operational resilience. In practice, this means identifying, documenting and securing all IT assets. It means continuously monitoring sources of IT risk and ensuring prevention and detection of critical threats. And it means rolling out business continuity and disaster recovery plans. Complying organisations may also need to enhance incident management and reporting, perform regular testing of tools and systems, and promptly remediate any security gaps. There’s also a heavy focus on IT suppliers – especially the harmonisation of risk monitoring across all third-party vendors. 

Four pillars for the Contact Centre 

As a critical interface between financial institution and customer, and a prodigious user of ICT services, the Contact Centre must be front and centre of any DORA compliance programme. In this context, there are four areas to bear in mind.   

First, understand the data flowing through the Contact Centre and ICT supplier systems. How sensitive is it? How is it processed? And how is it protected? If the organisation is already GDPR compliant, these are the kinds of questions that should be relatively straightforward to answer. Second, focus on contractual management. It may be necessary to revisit these documents to ensure they contain the mandatory clauses specified by DORA.  

Next, ensure suppliers have adequate security measures in place. That means not just promoting resilience through effective patch management programmes, but also prevention (e.g. anti-malware), and threat detection and response. Finally, consider the human element to cyber-risk management. Employees must understand their roles and responsibilities, and have an adequate grasp of what cyber-threats look like and how to respond to them. It takes just one misplaced click on a phishing email to cause a major organisation-wide data breach or ransomware outage. 

What to look for in a supplier 

The good news is that there are Contact Centre technology suppliers that support these requirements. Look for those offering pen-tested, resilient infrastructure with redundant, fault tolerant systems that are up to date with the latest security controls and threat protection. In this regard, cloud-based systems have the advantage of regular security and functionality updates to deliver best-in-class technology.  

It may also be worth looking to consolidate point solutions onto fewer suppliers. A single platform-based offering could cover everything from unified comms and speech/text analytics to support for remote working, omnichannel service and access controls. Fewer suppliers means fewer contracts to manage, maintain and review – freeing up time to work on other aspects of DORA compliance.  

A reputable supplier should have relationships with security-focused ICT vendors, but also deliver streamlined compliance and continuous monitoring. They will help clients understand customer data flows, and offer proactive solutions to manage and mitigate cyber risk. 

An opportunity to innovate 

Ultimately, financial services firms should look at DORA not as another onerous regulation, but as an opportunity, to save money, better understand customers, and invest in new infrastructure.  

Historically the industry has built on top of legacy tech, which can create more problems than it solves. By embracing cloud-based Contact Centre technology, there’s a great chance to enhance security and resilience, and work from a single source of truth that unlocks data silos. In this way, DORA could actually usher in a new era of customer-centric innovation and sustainable growth.