Every bank now runs on software, so "software matters in finance" is not a thesis worth defending. The argument worth having is sharper: in a regulated, high-scale financial institution, your competitive and regulatory position is decided less by the code you write and more by how reliably, securely and compliantly you ship and operate it. The constraint has moved from authoring to delivery. This piece is for engineering directors and senior engineers who already know that, and want the evidence and the operating implications rather than another list of why apps are good.
Spend confirms software is strategic, not back-office
The money settles the "is this strategic" debate. Gartner forecasts global enterprise IT spending in the banking and investment services market to grow roughly 7.8% in 2025 to about $760 billion, on a path to exceed $1.1 trillion by 2029 at a constant-currency five-year CAGR near 8.7%, driven by digital transformation, AI adoption and cybersecurity (Gartner, 2025). That growth rate matters more than the absolute number: technology is compounding faster than most banks' top lines, which means engineering decisions increasingly are the business strategy, not an enabler of it. The flip side is that this spend only converts into outcomes if delivery is disciplined. Capital buys capacity; it does not buy reliability.
Operational resilience is now a legal requirement, not a maturity goal
For any team operating in the EU, the "Risk and Compliance Management" theme has hardened into binding law. The Digital Operational Resilience Act (Regulation (EU) 2022/2554) became enforceable across the financial sector on 17 January 2025 (ESMA). DORA imposes a single harmonised framework across 20-plus categories of financial entity, built on ICT risk management, mandatory incident reporting, resilience testing, strict oversight of third-party and cloud providers, and information sharing.
Read that as engineering requirements, because that is what it is. Mandatory incident reporting on tight clocks means your observability, alerting and runbooks have to surface and classify ICT incidents fast enough to report them, not merely fast enough to fix them. Resilience testing means threat-led penetration testing and recoverability you can evidence, not assume. Third-party oversight means your cloud and SaaS dependencies, exit plans and concentration risk become auditable artifacts. The teams that treated resilience as a property to be engineered and measured, rather than a document to be written, walked into 2025 already compliant. The rest are retrofitting under a regulator's gaze.
AI raises the ceiling and the floor at once
The upside is real and quantified. McKinsey estimates generative AI could add $200 billion to $340 billion annually to the global banking sector, equivalent to 2.8% to 4.7% of industry revenues, within an economy-wide opportunity of $2.6 trillion to $4.4 trillion (McKinsey Global Institute, 2023). That is the prize behind AI advisors, fraud models, document automation and data-driven decisioning.
The catch is in how that capability lands in production. The 2024 DORA Accelerate State of DevOps report found AI to be a double-edged tool: a 25% increase in AI adoption was associated with an estimated 1.5% decline in software delivery throughput and a 7.2% decline in delivery stability, attributed largely to AI inflating change and batch sizes rather than producing bad code (DORA / Google Cloud, via InfoQ). The same report found only about 19% of teams reach the "Elite" performance tier.
The lesson is uncomfortable for anyone selling raw code-generation speed. If your developers can produce more change faster but your pipeline still merges large batches, your lead time gets worse and your change-failure rate climbs. In a DORA-regulated context, declining delivery stability is not just a velocity problem, it is a resilience problem with a reporting obligation attached. The mitigation is the unglamorous discipline that predates AI: small batches, trunk-based flow, fast automated testing, progressive delivery and tight feedback loops. AI is a force multiplier on whatever delivery system it lands in. Multiply a brittle one and you get faster outages.
Security spend is rising because the threat is
The "Security and Fraud Prevention" pressure is escalating in measurable terms. Gartner forecasts worldwide end-user information-security spending to reach $213 billion in 2025, up from $193 billion in 2024, roughly 10% growth, driven in part by AI and generative-AI-enabled threats on both the attacker and defender side (Gartner, 2025). For financial institutions, the practical implication is that security cannot be a gate at the end of the pipeline. Encryption and multi-factor authentication are table stakes; the differentiator is shifting controls left into the delivery system itself, so that dependency scanning, secrets management, signed artifacts and policy-as-code run on every change. Security you can prove on every deploy is also security you can evidence to a regulator.
What this means for how you build
Pull the threads together and a consistent operating model emerges for senior teams in finance:
- Optimise the four key delivery metrics, not output. Lead time, deployment frequency, change-failure rate and time-to-restore are the levers that turn IT spend into safe, fast change. They are also the closest proxy you have for DORA-grade operational resilience.
- Keep batches small, especially with AI in the loop. The cheapest defence against AI-inflated change size is a pipeline that makes large changes painful and small ones trivial. Trunk-based development and progressive delivery do more for stability than any policy memo.
- Make resilience and compliance executable. Recoverability, incident detection, third-party inventory and control evidence belong in code and pipelines, generated as a by-product of how you ship, not assembled by hand before an audit.
- Treat third-party and cloud dependencies as first-class risk. Under DORA, concentration risk and exit strategy are your problem whether or not you outsourced the running of them.
None of this is novel to a staff engineer. What is new is that regulation, AI economics and threat spend have converged to make elite delivery practice the precondition for both compliance and competitiveness, rather than a nice-to-have. The institutions that win the next cycle will not be the ones that wrote the most software, or even the ones that adopted AI fastest. They will be the ones whose delivery systems can absorb that speed without losing stability, security or the ability to prove either.
Expeditious Software builds and hardens exactly that delivery capability for financial institutions, across DevOps, cloud and platform engineering. If you are turning rising technology spend into faster, more resilient, demonstrably compliant change, talk to us.
Sources
- Accelerate State of DevOps Report 2024 - DORA / Google Cloud, reported by InfoQ (2024)
- Regulation (EU) 2022/2554 - Digital Operational Resilience Act (DORA) - European Securities and Markets Authority (ESMA)
- Gartner Forecasts Worldwide End-User Spending on Information Security to Total $213 Billion in 2025 - Gartner (2025)
- The economic potential of generative AI: The next productivity frontier - McKinsey Global Institute (2023)
- Forecast: Enterprise IT Spending for the Banking and Investment Services Market, Worldwide, 2023-2029 (2Q25 Update) - Gartner (2025)
