So, DORA – What’s it all about??? – Dec 24, 2024

If you work in either the financial services industry or the supplier industry to financial services – there is no way you will not have heard about the EU Digital Operations Resilience Act and the fact it’s coming into “being “on January 17th, 2024 

This blog is intended to give a bit of an introduction to DORA, what it’s driving, and also some of the initial impacts it will have on technology leaders – and considerations around DORA. 

 So, let’s start with the basics – DORA – Why is it even a thing / what’s it trying to achieve….

 

What’s the DORA Legislation here to achieve? 

This new regulation is designed to improve & bolster the resilience of financial institutions against operational disruptions like cyberattacks and system failures. By enforcing stricter standards for risk management and incident response, DORA aims to safeguard both consumers and the financial system as a whole. 

 

Why DORA now? 

So why now – with the exponential use of technology in the financial services industry resilience of systems is core to keeping the business operational. With the number of high-level disruptions caused by system outages, supplier impacts (such as Crowd-Strike), or the ever-increasing impact felt by cyber-attacks – this legislation is being brought in to improve resilience and reliability across the financial services industry. 

 

The Pillars of DORA 

So – we have covered the what & why – but what is DORA really looking at – and what are the areas (or as the industry refers to them – Pillars) that DORA is driving institutions to look at – here is a bit more information on those pillars 

  1. ICT Risk Management: Ensuring you have appropriate risk management & control objectives in place. DORA Is there to ensure that financial institutions have established a robust risk framework to identify, assess, and manage technology risks, including those associated with suppliers & service providers. 

  2. Incident Management and Reporting: DORA mandates that you have robust incident management & regulatory reporting in place – These procedures need to be in place around reporting major technology-related incidents to regulators / competent authorities and for sharing information on cyber threats and incidents with other institutions. 

  3. Digital Operational Resilience Testing: As part of DORA – you have to conduct regular testing of your systems and services to ensure that they can withstand potential disruptions – this could be based around cyber, component failure, or also supplier/counterparty failure 

  4. Management of ICT Third-Party Risk: This requires financial institutions to implement effective oversight mechanisms for critical third-party service providers – as part of third party & supplier risk – to ensure that items such as exit strategies are included (and tested). 

  5. Information Sharing: Sharing resilience risks, horizon concerns & sharing information on cyber threats and incidents with other financial institutions and authorities to improve overall cybersecurity is a key part of the DORA legislation and driving resilience across the financial services industry

     

What are some of the technology implications that DORA will drive? 

Now that we have been through a bit of an introduction to the DORA framework – what does this mean to the tech stacks – and what are the considerations that technology executives need to consider when thinking about both DORA and resilience…. 

Fundamentally – DORA is all about resilience – and that the CIFs (Critical & Important Functions) are architected, protected, and secured in an appropriate manner. Additional to this – there is a massive emphasis on testing to prove that you are resilient and ensure that lessons learnt are implemented (from testing & incidents). So, what are some of the key technology aspects you should consider? Here are the BIG THREE: 

 

Resilient & protected Infrastructure 

  • Resilience & Redundant Architectures: Availability & redundant mechanisms that are implemented to ensure robust redundancy and failover mechanisms facilitating business continuity.  

  • Network Segmentation: Segmenting networks to limit the impact of potential breaches – aligned to Critical & Important Services (CIFs) 

  • Disaster Recovery and Business Continuity Planning: Developing comprehensive disaster recovery and business continuity plans and regularly testing them. 

  • Backup & Recovery Systems: Appropriate backup and recovery services are implemented and designed in such a way that there are clear primary and secondary installations with appropriate capacity to restore services in the event of a major outage/issue 

 

Cybersecurity / Threat Management & Response 

  • Threat detection and Response Tools: Consideration around SIEM tooling that monitors / logs and then corresponding response tooling 

  • Test:  Testing of detect, respond, recover tooling – Make sure your capabilities do what they think you are going to do 

  • Access Management:  Robust Identity and Access Management (IAM) & Privileged Access Management (PAM) 

  • Patching & Vulnerability Management: Comprehensive patch management & vulnerability management – with corresponding reporting 

  • Limited Blast Radius: Ensure that measures are put in place to limit blast radius issues/compromises and be able to protect CIFs – A big nod back to Network Segmentation and appropriate protection mechanisms! 

 

Network Segmentation 

So, this is a biggie (well they all are – but this is causing the most upset!!!) Network seg has been mentioned a few times throughout this article… There is a massive focus within DORA around regulation and networks / segmenting your network. Given networks are such a foundational element of technology infrastructure – it’s pretty unsurprising that there is a big focus here. It’s also one of the biggest worry areas for large enterprises given the legacy of making everything talk to everything…. 

  • Segmentation of Your Network: Isolating, through network segmentation methodologies your critical systems (CIFSs) to limit the impact of potential breaches, outages etc. 

  • Monitoring: Ensure that networks are appropriately monitored from both an availability, capacity, and performance perspective 

  • Documentation: Maintaining accurate and up-to-date network documentation to facilitate troubleshooting and incident response 

  • Network Security: Implementing robust security measures to protect network infrastructure from cyber threats 

There is enough just on networks alone to put “The Fear” into any CIO / Infrastructure head / Network service owner…. There will be more on this in a subsequent article – that will hopefully prove useful! 

Well – that’s it for this spotlight session – Obviously – there is a ton more – but this shows where some of the key consideration areas need to be – and to back all of this up – there has to be the appropriate Policies, Standards, Processes, and testing in place as well. 

The next blog will focus in on CIFS, CIBS, Service mapping, and the importance of downstream service providers and getting a solid view of not just 3rd party but Nth party suppliers! 

That’s it for this blog, hopefully, it’s provided some insight! 

Wrapping It Up

Do our bi-weekly insights prove valuable to you? Have you noticed trends or threads that you think our community should know about? Connect and share your insights with us on LinkedIn.

Get in touch to learn more