The Digital Operational Resilience Act (DORA) is one of the most significant cybersecurity regulations for financial institutions in the European Union (EU). Failure to comply can have massive consequences, including financial penalties and forced operational downtime, meaning achieving DORA compliance should be a priority for all EU financial institutions.
Implementing a comprehensive API security strategy goes a long way toward ensuring compliance with DORA requirements. Modern financial institutions are utterly reliant on APIs, meaning failing to secure them is tantamount to leaving an entire organization unsecured. This article will explore DORA, its API security challenges, and how Wallarm’s solution helps overcome them.
What is DORA?
DORA is a European Union regulation (EU 2022/2554) that aims to ensure financial institutions can withstand and quickly recover from IT disruptions. It came into force on January 16 2023 and applied from January 17 2025.
DORA aims to strengthen the IT security and operational resilience of financial institutions – including banks, insurance companies, and investment firms across the EU. To achieve this goal, DORA introduces uniform requirements for managing information and communication technology (ICT) risks, such as mandating robust incident management processes, incident reporting, regular resilience testing, and oversight of third-party ICT service providers.
The Act harmonizes these rules for over 20 categories of financial entities and their critical tech vendors, meaning that all kinds of financial institutions must adhere to the same set of cybersecurity standards. This harmonization recognizes the interconnectedness of financial systems in the EU and the need to create a level playing field for compliance across organizations.
Why is DORA Critical?
The modern financial sector is deeply dependent on digital technology and third-party tech vendors. Technology and third-party vendors have granted financial institutions unprecedented efficiency and cost benefits, opportunities for innovation, and the freedom to focus entirely on their core competencies. Without them, many financial organizations would be rendered unable to deliver services. However, this reliance comes with unignorable cybersecurity risks.
Cyberattacks, IT outages, or software failures can cascade into major disruptions of banking, payments, or insurance services – with potential ripple effects on customers and the broader economy. And we aren’t speaking hypothetically; while surprising, the EU is yet to experience a major impact from a surge in significant cyber incidents, in August 2024, the Central Bank of Iran suffered an incident forcing banks to shut down cash machines and Iran’s authoritarian regime to pay a ransom for fear that the breach would “destabilize the country’s already-wobbly financial system.”
Before the EU introduced DORA, firms typically addressed these risks indirectly, for example, by holding extra capital as a buffer. However, this approach didn’t fully address the risk of operational outages, leaving financial institutions vulnerable to disruption and incapable of business continuity in the face of a cybersecurity incident.
DORA forces financial institutions to address cybersecurity risks head-on, mandating that firms actively bolster their operational resilience and prove they can protect, detect, contain, and recover from ICT incidents – not just absorb the losses.
As noted, DORA compliance is not optional. In January 2025, regulators were granted enforcement powers that include:
- Financial Penalties: Fines of up to 2% of a non-compliant organization’s global annual turnover or €10 million, whichever is higher, or penalties of up to €5 million for critical third-party ICT providers.
- Operational Disruptions: Regulatory authorities have the power to restrict or suspend a non-compliant financial firm’s business activities until they achieve full compliance.
Ultimately, DORA is now a top-of-mind directive for any financial institution or ICT service provider operating in the EU market, elevating operational cybersecurity to a board-level concern.
Why is API Security Important?
APIs (Application Programming Interfaces) are essential to modern financial services. They act as the connective tissue of digital products, integrating systems, powering mobile banking, connecting to payment networks, and meeting open-banking mandates. In fact, European open banking initiatives like PSD2 have actively accelerated the proliferation of APIs, making them fundamental to how financial data is accessed and shared.
As a result, APIs are now mission-critical assets for financial institutions – and they also represent a large portion of the attack surface for cyber threats. The importance of APIs is even greater if we also consider the reliance of banks on AI to offer personalized products to their clients. According to Wallarm’s API ThreatStats 2025 report, 98,9% of AI vulnerabilities are API-related, while over 50% of the vulnerabilities in the CISA KEV catalog were about APIs.
What’s more, the consequences of an API breach or outage can be severe, ranging from sensitive data exposure and financial losses to reputational damage or even complete system failure. Again, APIs power financial services – if they fail, the organization fails.
API Security’s Role in DORA Compliance
Under DORA’s guidelines, securing APIs is not just an IT best practice but a compliance imperative. Failing to secure APIs can and will result in the consequences listed above.
DORA mandates that firms implement a comprehensive ICT risk management framework capable of identifying and mitigating risks to critical systems. Given that APIs now facilitate core business processes and data flows, any vulnerability in an API or any successful API-targeted attack would constitute a serious ICT incident that undermines operational resilience.
For example, an undetected API vulnerability could allow attackers to steal customer data or disrupt online services, which would violate DORA’s resilience objectives and trigger incident reporting obligations. Thus, protecting APIs aligns directly with DORA’s outcome-focused approach to resilience. The regulation doesn’t prescribe specific technical controls, but it insists on effective risk management and security outcomes.
This means each organization must protect its APIs from threats – implementing everything from strong authentication and access control to threat monitoring – as part of meeting DORA’s requirements. In short, API security is a cornerstone of DORA compliance: without securing APIs, a financial institution cannot confidently claim it has secured its digital operations or can withstand major disruptions.
How Wallarm Can Help
It’s clear then that robust API security mechanisms are crucial for DORA compliance and, hence, ensuring the resilience of financial institutions. But what specific DORA requirements across all five principles of the Act relate to API security? And how can Wallarm’s API Security platform help organizations meet these requirements? The following table can be handy to fond our more.
| DORA Compliance Requirement | API Security Challenge | Wallarm’s Solution |
| ICT Risk Management | ||
| DORA mandates a comprehensive ICT risk management framework to identify, assess, and mitigate ICT-related risks across all digital assets. This includes managing cybersecurity threats to critical systems (like APIs) to ensure business continuity. | Shadow or misconfigured APIs often go untracked, making it difficult to gauge and mitigate their risks. These exposed or “shadow” APIs are easily compromised by attackers, undermining the organization’s risk management efforts. | Wallarm’s API security platform automatically discovers all APIs and sensitive data usage, giving full visibility into the API attack surface. It then protects these assets in real-time (blocking OWASP API Top 10 threats, bots, and exploits) to reduce API risk in line with DORA’s ICT risk management requirements. |
| ICT-Related Incident Reporting | ||
| DORA requires firms to have early detection and ICT incident reporting capabilities. They must promptly report significant incidents to regulators with details on nature, impact, root cause, and remediation. | Without robust API monitoring, breaches can go unnoticed until it’s too late. A lack of detailed logging and attack detection in APIs means organizations might miss incidents or discover them only after damage is done, making timely reporting challenging. | Wallarm provides complete real-time visibility into API traffic and attacks, immediately detecting suspicious behavior. It captures detailed incident data (attack patterns, affected endpoints, etc.), allowing teams to quickly analyze incidents and generate thorough reports. This accelerates incident response and helps meet DORA’s strict reporting timelines. |
| Digital Operational Resilience Testing | ||
| DORA obligates regular resilience testing (e.g., security assessments, penetration tests, scenario simulations) of critical ICT systems to ensure they withstand disruptions and cyberattacks. APIs, as integral parts of systems, must be tested for vulnerabilities and stress scenarios. | Rapid development and deployment of APIs make continuous security testing difficult. Without frequent testing, weaknesses like misconfigurations or broken authentication can slip into production, remaining undetected until exploited. | Wallarm facilitates continuous API resilience testing by automating security checks on APIs in both pre-production and production. It integrates into CI/CD pipelines to run API-focused tests (including fuzzing and OWASP Top 10 checks) before and after release. By discovering and helping fix vulnerabilities early, Wallarm ensures APIs are hardened against attacks, supporting DORA’s operational resilience testing requirements. |
| Third-Party Risk Management | ||
| DORA emphasizes managing risks from third-party ICT providers. Financial institutions must perform due diligence on tech vendors, monitor their performance (e.g., SLAs for security and uptime), and ensure critical third parties follow strong ICT risk controls. Contingency plans should exist in case a third-party service fails or is compromised. | Integrating third-party services and APIs expands the attack surface. A vulnerable partner API or insecure open-source component can become the weakest link in the chain. However, organizations often lack visibility into the security posture of external APIs, making it hard to assess and mitigate third-party risks. | Wallarm’s platform gives visibility and control over all API integrations, including third-party calls. It automatically inventories external API interactions and monitors them for anomalies or attacks so security teams can catch issues stemming from partners. By enforcing API schemas and security policies uniformly – even for third-party APIs – Wallarm helps ensure that external dependencies meet the organization’s security standards, ensuring compliance DORA’s third-party risk management requirements. |
| Information Sharing Arrangements | ||
| DORA encourages financial entities to join trusted information-sharing networks to exchange cyber threat intelligence and incident information. While not mandatory, this measure aims to strengthen collective resilience by alerting peers and authorities about emerging threats, vulnerabilities, and attacks. | Many organizations lack mechanisms to share or receive API-specific threat intelligence. Because DORA’s info-sharing is encouraged rather than required, firms might not prioritize it, resulting in siloed knowledge. This means one bank might face an API attack that another had already seen, but without sharing, others fail to preempt the threat. | Wallarm’s API security solution aggregates rich data on API threats and attack patterns in real-time (e.g., malicious IPs, payloads, and exploit attempts). These insights can be seamlessly fed into internal reports or threat intel feeds to inform broader teams and industry peers. By integrating with collaboration and SIEM tools, Wallarm helps organizations disseminate relevant API security information to regulators and trusted networks, aligning with DORA’s goal of collective defense through information sharing. |
Want to find out more about how Wallarm’s best-in-class API Security platform can help your financial organization achieve operational resilience and comply with DORA requirements? Schedule an obligation-free demo today.
The post DORA: Strengthening Digital Resilience Through API Security appeared first on Wallarm.
