As we look ahead into 2025, at Custodia we see an outlook that is clouded by more uncertainty than usual, driven by a combination of politics, geopolitics, and economics. Political priorities from many of these elections are still emerging. However, what is already clear is that countries will prioritise economic growth, competitiveness and — given high and potentially rising geopolitical tensions — economic and cyber security.
Operational resilience has become a critical priority for businesses worldwide, driven by increasing cyber threats, regulatory scrutiny, and the rapid evolution of technology. The CrowdStrike outage in 2024, a major cybersecurity incident involving one of the leading providers of endpoint security solutions, brought the operational risks that firms face because of their technology dependencies into much sharper focus. The Basel Committee is calling for a more rigorous approach to “critical third parties” and financial regulators in some jurisdictions are preparing to extend their oversight to technology suppliers.
European regulators are leading the way with frameworks such as the EU’s Digital Operational Resilience Act (DORA) and the UK financial services authorities CTP framework reshaping compliance landscapes. Other jurisdictions are yet to implement formal regulations, but US regulators have issued collective guidance on third-party management – and we expect that it will remain a priority in 2025, and others are likely to follow. organisations must rethink their resilience strategies to adapt to new regulatory realities. These developments are not merely about compliance; they represent an opportunity for businesses to enhance security, streamline operations, and build trust in an increasingly interconnected world.
The Rising Importance of Operational Resilience
For as long as technological solutions have existed in global security, the interaction between people and data has been a core pillar of effective business resilience strategies. However, with data breaches and cyberattacks increasing at an alarming rate, operational resilience must evolve to mitigate risks effectively.
At the Global Security Exchange (GSX), Jenn Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), emphasised the need for stronger defences and collaborative partnerships between industry and government. This underscores the shift from a reactive to a proactive approach to resilience, where AI and data-driven strategies play a pivotal role.
The Impact of EU DORA and UK Proposals on the financial service sector
DORA, that took effect on 17 January 2025, mandates financial institutions operating within the EU to enhance their digital operational resilience. It requires firms to ensure IT security, risk management, and third-party oversight are up to regulatory standards. However, many organisations are not fully prepared, and instead of achieving full compliance by the deadline, firms are planning “proportionate day-one responses” with longer-term implementation strategies.
A major challenge under DORA is third-party risk management. Banks and financial firms must reassess contracts with external providers to ensure compliance. With some institutions relying on hundreds or even thousands of third-party providers, the expectation that all contracts be updated by the deadline appears ambitious. The European Central Bank’s recent speech emphasised the view that regulators expect firms to meet their obligations, leaving little room for delay.
Similarly, the UK’s financial services authorities are introducing new rules to strengthen operational resilience in financial services. Their proposals include:
- Standardised reporting templates for operational incidents.
- Expanded oversight of third-party arrangements, including non-outsourcing agreements.
- A focus on consumer harm, market integrity, and systemic risks.
These changes aim to improve regulatory oversight, reduce inconsistencies in incident reporting, and ensure firms have robust frameworks to handle disruptions effectively.
Challenges and Opportunities for the Market
Domestic political agendas rather than international coordination efforts has recently shape the financial services regulatory developments. Although efforts to coordinate internationally will continue, the operational resilience shows a country-specific approach, in the same way of regulatory developments in artificial intelligence (AI) and data governance. In some jurisdictions, we may see increased pressure for deregulation and concerns about international competitiveness. That may drive local advantage and arbitrage scenarios, but for firms operating globally, it may also increase fragmentation and regulatory cost.
Operational resilience regulations like DORA and the UK financial services authorities’ proposals signal a new era of risk management. While compliance deadlines have just passed or fast approaching, financial institutions that take a proactive approach will gain a competitive edge by embedding resilience into their core operations. And although cooperation on global standards is unlikely in the near term, global firms will have to address regulatory on a fragmented basis.
