Innovative mechanisms of state regulation of information security of financial institutions in Ukraine in the context of dora implementation and suptech tools development
DOI:
https://doi.org/10.61345/1339-7915.2025.2.26Keywords:
Digital operational resilience, DORA compliance, SupTech, RegTech, Financial institutions, Cybersecurity, Incident reporting, EU-Ukraine integrationAbstract
The article is devoted to the study of Ukraine’s transition from fragmented ICT- security regulation toward a fully-fledged Digital Operational Resilience framework that mirrors the requirements of EU Regulation 2022/2554 (DORA). It outlines the wartime pressures that have accelerated this shift, details the National Bank of Ukraine’s three-pillar SupTech architecture (incident-reporting API, regulatory sandbox, real-time supervisory dashboard) and argues that automated compliance is not a discretionary upgrade but a macro-prudential necessity that preserves investor confidence and systemic liquidity.
Examined are the economic and legal incentives that make DORA alignment financially viable even for under-capitalised institutions. Scenario modelling shows that avoided outage losses, lower cyber-insurance premia and access to Eurosystem threat-intelligence platforms deliver a positive net present value within two supervisory cycles. The analysis further highlights the cost-of-compliance-as-a-service market: while bundled cloud solutions reduce initial expenditure, they raise questions about data sovereignty and third-party concentration risk, which the draft Law “On Digital Resilience of the Financial Sector” seeks to balance through localisation clauses and annual provider stress tests.
Explored in depth are the technological underpinnings of the proposed SupTech platform. A microservice architecture integrates graph databases, BERT-based semantic parsers and Deep SVDD anomaly-detection algorithms, cutting average incident-detection time from twenty- seven to nine minutes in pilot trials. The platform’s design embeds GDPR impact-assessment fields directly into DORA incident messages, thereby eliminating reporting duplication and aligning with European Data Protection Board guidance on cross-regime notifications.
Particular emphasis is placed on the human-factor dimension, identifying the Technology Risk & Resilience Officer certification, shared-responsibility cloud clauses and continuous skills-training as indispensable complements to automation. The study concludes that only a synchronized fusion of advanced analytics, robust legal scaffolding and security-minded organisational culture will allow Ukrainian financial institutions to guarantee uninterrupted critical services, accelerate EU financial-market integration and reinforce national economic security in an era of persistent hybrid threats.
References
European Insurance and Occupational Pensions Authority. (2025). Digital Operational Resilience Act (DORA): Overview of Key Requirements. Retrieved from https://www.eiopa.europa.eu [in English].
Strategy of Ukrainian Financial Sector Development: Progress Report. (2024). National Bank of Ukraine. Kyiv: NBU. Retrieved from: https://bank.gov.ua/en/news/all/zvit-z-realizatsiyi-strategiyi-rozvitku-finansovogo-sektoru-ukrayini-za-2024-rik [in English].
Digital-Operational-Resilience-Act.com. (2025). DORA Updates, Compliance and Timeline. Retrieved from https://www.digital-operational-resilience-act.com [in English].
Green Paper on the Development of Regulatory Technology in the Financial Market of Ukraine. (2025, March 31). National Bank of Ukraine. Kyiv: NBU. Retrieved from: https://bank.gov.ua/en/news/all/opublikovano-zelenu-knigu-z-rozvitku-regtehu [in English].
Bugcrowd. (2025, February 12). Managing the cost implications of EU DORA compliance. Retrieved from https://www.bugcrowd.com. [in English].
European Commission. (2024). Commission Implementing Regulation (EU) 2024/2956 of 15 October 2024. Official Journal of the European Union, L 2956. Retrieved from: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ%3AL_202402956 [in English].
Financial-Markets Regulatory Outlook 2025: Navigating Uncertainty in a Fragmented World. (2025). Deloitte. London: Deloitte Insights. Retrieved from: https://www.deloitte.com/no/no/Industries/financial-services/perspectives/financial-markets-regulatory-outlook.html [in English].
Revised Eurosystem Cyber Resilience Strategy. (2024, October 18). European Central Bank. Retrieved from: https://www.ecb.europa.eu [in English].
Guidelines on the Interplay between the Digital Operational Resilience Act and the GDPR. (2025). European Data Protection Board. Brussels: EDPB. Retrieved from: https://www.edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en [in English].
Internet Organised Crime Threat Assessment (IOCTA 2024). (2024). Europol. The Hague: Europol. Retrieved from: https://www.europol.europa.eu/publication-events/main-reports/internet-organised-crime-threat-assessment-iocta-2024 [in English].
Downloads
Published
Issue
Section
License
Copyright (c) 2025 Artem Taranenko
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
