By Jamie Beckland, CPO of APIContext
The EU’s Digital Operational Resilience Act (DORA), which came into force on 16th January 2025, sets stringent standards for financial institutions including ICT risk management, incident reporting, resilience testing and third-party oversight, marking a major shift in how financial institutions must approach operational resilience.
As financial firms move beyond the deadline, it’s clear that compliance demands more than policies or isolated testing regimes. Instead, organisations must have visibility into the technologies that facilitate daily operations. In particular, APIs serve as the backbone of the financial services ecosystem. Yet, API monitoring, including assessing third party risk, is an area which is often overlooked when it comes to resources and budget. With DORA now in full effect, the pressure is on financial institutions to prove their operational resilience. But how?
The Importance of APIs in Financial Services
APIs play a critical role in the financial services industry by enabling seamless communication and data exchange between different systems and applications, supporting important services such as mobile banking and digital payments. However, poorly managed APIs can lead to severe disruptions, from performance issues to security breaches. The challenges are large enough with directly-managed APIs, and are dramatically harder when third-party providers are involved. Failures can result in customer dissatisfaction, increased costs, and reputational damage.
A lack of monitoring can also introduce vulnerabilities from unknown misconfigurations. For instance, in 2019 a misconfigured API allowed a former employee of a cloud service provider to exploit a vulnerability in Capital One’s infrastructure, gaining access to personal data from over 100 million customers, including Social Security numbers and bank account details. The breach resulted in a $80 million fine from U.S. regulators and significant reputational damage. While Capital One has since improved its API resilience, the incident served as a wakeup call for the financial industry, highlighting the need for robust monitoring within the sector.
With DORA now in force, such API failures are no longer just operational risks, they carry regulatory consequences. Continuous monitoring, including oversight of third-party APIs, is now essential for compliance and resilience.
DORA and the API Challenge
DORA applies to over 22,000 financial entities and ICT service providers in the EU, which now must adapt their operations to meet its requirements. The act’s heavy emphasis on continuous operational resilience puts a spotlight on areas that have often been historically overlooked – including API resilience. Yet, many financial institutions continue to treat it as a secondary concern. Budget and resources are frequently directed toward perimeter defences or compliance reporting, with less attention paid to the actual performance of the applications and APIs that deliver customer-facing services.
This approach has proved to be inadequate even to internal teams that must review and evaluate an avalanche of false positive alerts, without seeing a substantial improvement in resilience. Teams end up solving symptoms, not root causes. And the new regulation puts even more focus on the problem.
With DORA’s strong emphasis on application resilience, financial institutions must continuously monitor APIs, not only for uptime but also for latency, error rates and integration dependencies. As they map their environments, visibility into third-party APIs, particularly those integral to critical customer journeys, becomes essential for compliance.
DORA also requires robust third-party risk management. As financial institutions increasingly rely on external providers for everything from payment processing to data storage, understanding and mitigating these dependencies has become a compliance imperative.
APIs often serve as the interface between organisations and their third-party services. Yet, without the right monitoring in place, firms can lack visibility into how these services are performing or failing. This is where enhanced API monitoring can offer significant value. By tracking third-party API health and integrating performance data into broader risk assessments, firms can identify emerging vulnerabilities and respond swiftly, reducing their exposure to systemic failures.
How Synthetic Testing and Monitoring Help Ensure Compliance
With DORA now fully in force, financial institutions must take the appropriate steps to remain compliant and demonstrate their operational resilience. One way this can be achieved is through a combination of synthetic testing and continuous monitoring.
Synthetic testing runs automated scripts that simulate the real user actions or behaviour to identify and fix the website availability, performance and functionality issues before end users notice them. This differs from real user monitoring, where data is collected from requests initiated by actual users. Ultimately, synthetic monitoring can identify issues before the customer is impacted making it especially useful in a high-stakes industry such as the financial sector.
Continuous monitoring complements this by providing real-time detection and mitigation of operational disruptions. It provides financial organisations the ability to track and respond to issues as they arise which, along with synthetic monitoring, ensures that both internal systems and third parties are compliant with regulations. Together, these tools help ensure both internal systems and third-party providers meet DORA’s requirements.
To meet compliance effectively, organisations should consider investing in an API monitoring platform that offers both synthetic testing and continuous monitoring as part of an integrated solution, to increase operational resilience and achieve DORA compliance.
How APIs Hold The Key to Achieving DORA Compliance
