Increasing DORA Requirements Intensify the Pressure to Modernize in the Finance and Insurance Industry

The requirements for digital resilience for banks, insurance companies, and financial service providers are increasing rapidly, most recently with the entry into force of DORA. Old systems that have grown over the years are increasingly becoming a risk - not only technically, but also organizationally. If you want to remain fit for the future, you need to act.

Since January 17, 2025, DORA (Digital Operational Resilience Act) has been the EU-wide, uniform framework for addressing information and communication technology (ICT) risks in the European financial sector. The requirements include the identification and assessment of ICT risks, the documentation of the underlying systems, the management of changes, and the monitoring of third-party ICT service providers. The aim is to strengthen the stability and resilience of financial companies' digital infrastructure.

Although the regulation does not explicitly require replacing legacy systems, operationalizing the requirements creates clear pressure to act. DORA defines requirements that legacy systems can often only fulfill at disproportionate cost or that structurally conflict with their limitations. In the context of risk assessment, stricter regulations apply specifically to legacy systems under Art. 8 (7). From an IT and management perspective, all of this makes modernization and replacement even more of a resilience and governance issue and is an important strategic step towards DORA compliance.

In light of this, the modernization or replacement of outdated infrastructure is coming into greater focus. The following overview outlines the impact of DORA requirements and the systematic reasons for including the renewal of the technical basis in strategic planning.

DORA obliges the sector to continuously identify ICT risks and take appropriate measures to limit their impact (see Art. 6 para. 1-3 and Art. 8 para. 2 and 7 DORA and DelVO 2024/1774). This also includes assessing vulnerabilities that often persist in legacy systems: Legacy systems may no longer be updateable because manufacturer support and patch availability are limited. This leads to increasing requirements for security controls, additional risks in the absence of updates, and increased costs for alternative measures.

• Replacement becomes the obvious compliance and risk reduction measure.

DORA attaches great importance to systematic transparency regarding functions, assets, and dependencies. In particular, information must be classified, documented, and recorded in inventories (see Art. 8(1), (4), and (6) of DORA and Art. 4 of DelVO 2024/1774). Outdated systems make this difficult due to incomplete documentation, historically evolved structures, and complex dependencies. Subsequent documentation can involve significant effort; a lack of transparency regarding technical dependencies also poses a risk. Both lead to more difficult auditability.

• Replacement may be the more favorable compliance route.

DORA links changes to ICT systems to strict governance and control requirements and requires “controlled change” as a permanent state (see Art. 8(3) of DORA and Recital 17 of the DelVO 2024/1774). Legacy systems can be sensitive to updates and, in some cases, lack stable testing or rollback mechanisms. This leads to limitations on release frequencies and automation. Changes can only be made at the risk of significant operational disruption.

• Modernization reduces change risk and audit pain.

DORA defines detailed requirements for transparency and control of external ICT service providers (see Art. 28-30 DORA and Recital 8 DelVO 2024/1774 and DelVO 2024/1773). Legacy systems are often based on specific manufacturers or partnerships that no longer offer long-term support. This can lead directly to compliance risks: dependencies on technologies that are no longer supported, more difficult implementation of audit and control rights, and increased risks to business continuity and incident response.

• Dependencies can be eliminated by replacing them.

DORA increases the requirements for security, transparency, change processes, and third-party control. Legacy systems often only fulfill these requirements to a limited extent or only with considerable additional effort. They therefore increase residual risks, slow down changes, make documentation more difficult, and make support dependencies critical. The modernization or replacement of such systems can reduce risks, increase verification efficiency, and support the regulatory requirements in the long term.