Part 1. Exploring DORA: how to step up to the compliance challenge

The right technology partner can be the difference that makes a difference to your Operational Resilience capabilities.

Overview

If you work for, or with any scale of financial entity across Banking, Insurance, Stock Exchanges, Brokerages, and Credit Rating Agencies (to list but a few) in the EU then it’s safe to assume that DORA (Europe’s Digital Operational Resilience Act) is top of mind with the powers that be at the moment. It has been likened to the GDPR of Financial Services, and its repercussions are set to ripple across the industry across the world.?

Things are already moving in response to the Act and industry standards are already evolving. Beyond the Risk & Compliance Executives, urgency is increasing through to Department Heads and Service Executives.

As with any new regulatory or compliance requirement, there are differing levels of preparedness and organisation in every business, with contributing factors such as scale (linked to proportionality) playing a part. Those financial entities who have been proactive in their Operational Resilience posture in the past will be the ones with a clear competitive advantage.

However, it’s also fair to say that getting compliant, and fast, is easier said than done. To help remove some of the complexity and uncertainty, and help forge a path forward, I’m going to share some of my thoughts on how best to comply with DORA and better understand your responsibilities.

?

DORA in context

Firstly, and for the avoidance of doubt, DORA is a "regulation" and as such it is a binding legislative act. It must be applied in its entirety across all members of the EU.? Yes, there are still some implementation details being worked on, these are already called out in the regulation, but the Act is now EU law and enforceable from January 2025.

It won’t be a surprise that the scope of DORA is very broad, but it exists primarily to strengthen ICT security, mitigate risk across the EU financial sector and protect the Operational Resilience, performance, and stability of the financial system.

As the Act itself states, ‘In order to achieve a high common level of digital Operational Resilience, this Regulation lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities.’

That includes things like:

• ICT risk management?
• Reporting and notification of major ICT-related incidents, cyber threats and major operational or security payment-related incidents in a consistent way?
• Digital Operational Resilience planning and testing?

• Information and intelligence sharing??
• Documenting and mitigating concentration risk from having a systemic impact.?

What actions need to be taken

So, it’s obvious that there’s a clear need for formality and standardisation to ensure an appropriate compliance posture. Firms must be able to demonstrate observability – it’s all about protection, detection, and action, not just logging! You need documentary evidence that you’re following your process and communicating issues to regulators in an industry-consistent and proactive fashion.

Firms must also demonstrate that they are well positioned to have visibility of issues beforehand and have taken steps to minimise potential impacts.? They must demonstrate that they have the agility and adaptability to be able to respond to risks and issues that emerge or materialise in a timely manner. This is not an administrative exercise, it’s far more about management action and clear accountability across the end-to-end service.

Overall, firms need the most accurate information about the state of their data so they can take the most informed actions to ensure integrity. Yes, this might sound like Operational Resilience 101, but across the industry, there has been little standardisation, and in some cases, it’s been considered merely a formality and not a fundamental shift in systems design, implementation, and operation.

As an industry, we need to move Operational Resilience from a tick-the-box architecture exercise into a full-contact sport.

The ideal time to have built in all of this capability for Operational Resilience was when the systems were being designed. The next best time is right now, and you can achieve this by choosing a technology partner that has that observability function built in.

Therefore, Enterprise Architects have a critical role in helping navigate DORA but that requires they understand and be conversant with the word and the spirit of this regulation.

But who bears ownership of ultimate responsibility? Where does this particular buck stop? DORA makes that unambiguous - overall responsibility and governance sits with financial entities. They can outsource activity, service and reporting to third parties but they bear ultimate responsibility and, at an extreme, non-compliance could include criminal penalties for the firm and/or its accountable executives.

The Act also sets out requirements that financial entities and all third parties should have standardised contractual arrangements, including terms and conditions, in order for firms to be able to exit contracts (especially if there are security or compliance concerns) in a timely, orderly way without impact to their own customers.

What’s more, as the Act states, ‘Exit plans shall be comprehensive, documented and … shall be sufficiently tested and reviewed periodically.’? This is a considerable shift from passive documentation to an action-oriented stance.

Cloud concentration and data protection are also critically important. Reorienting your cloud set-up to protect against acts of overt aggression, as well as being able to mitigate against human/admin error, will need to be priority actions.

?

Conclusion

So how best to establish DORA competence and mitigate risk and unintended consequences? I believe that good Operational Resilience requires a robust architecture and proven capability from partners that have been with you on this Enterprise IT journey - this is critical because just buying tools will not get you compliant.

I’ll wrap up with a little analogy – when one thinks about mountaineering one thinks about control, safety, planning and preparation. ?You don't just arrive at the foot of a mountain and begin your ascent. ?You ensure you've brought the right equipment in advance; you understand the weather conditions in detail and you make sure to plan an approach with the least amount of risk.

What are your own immediate DORA priorities?

What steps have you already taken, if any?

Let’s start a conversation!

?

#DORA #DigitalResilience #ICT #CyberResilience #FinancialRegulation #RiskManagement #DontBreakTheBank #DBTB #VMware #OperationalResilience #CloudManagement #DataCentres #PrivateCloud #ExploringDORA?#CloudChaos #SovereignCloud VMware