In my last article about ransomware, I mentioned how important it was for chief financial officers (CFOs) to ensure that the IT in their organizations was as secure as possible—particularly now that attacks can come from artificial intelligence (AI) bots that could be in the hands of anyone.
These bots can do all the hard work to try to fool ordinary staff members into revealing passwords, transferring funds, and generally revealing the information needed for a major hacking attack.
Given the increase in the number of cyber-attacks and the sophistication of those attacks, the European Union (EU) is taking steps to ensure that financial institutions (e.g., banks, payment providers, etc.) are as resilient as they can be against these attacks and can recover from disruptions to their key services and systems.
Digital Operational Resilience Act – DORA
They also hope that the new legislation will safeguard the stability of the broader economy through resilient providers. The result is the EU Digital Operational Resilience Act (DORA). It specifies detailed requirements for EU-based financial institutions to protect their key business processes. The regulations introduce standardized processes for managing, reporting, and reacting to IT operational risks in financial institutions.
There are several key components to the act, including:
- The mandatory reporting of IT-related incidents — will make clear the nature and frequency of disruptions, which in turn should enable organizations to develop more effective mitigation strategies. In addition, sharing this information will allow financial institutions to learn from each other’s experiences and improve their resilience strategies.
- Rigorous risk management of third-party IT service providers — financial institutions must ensure that their suppliers, including managed IT service providers, IT hardware suppliers, and consultancy services, adhere to robust cybersecurity standards. This is intended to deal with the issue of supply chain vulnerabilities, which have become a growing problem in recent years.
- Comprehensive operational resilience testing — through methodologies such as TIBER-EU and threat intelligence-led penetration testing/red teaming. TIBER-EU testing is mandated at least once every three years, with the possibility of more frequent, self-guided testing in the intervening years.
DORA Challenges
DORA enforcement begins 17 January 2025 That means financial institutions working in the EU need to check that their resilience capabilities comply with the new regulations. Otherwise they need to be working out what steps their organizations need to take to be compliant by January.
DORA shouldn’t be left to the IT team — as brilliant as they probably are — this is something that the board as a whole should discuss and monitor. This becomes especially important because the European Supervisory Authorities’ regulatory technical standards (RTSs) are only just being finalized, which gives organizations less than six months to be compliant.
The problem that some organizations are facing is how to budget for DORA because the scope of DORA is so broad. How can they know, when the budget was set, exactly how much their organization will need to spend? What if they haven’t allocated enough money and the project can’t be completed on time? Or do they metaphorically write a blank cheque for the project not something that financial institutions will feel like doing.
DORA is designed to protect financial institutions and the wider economy from cyber-attacks, technology failures, and human error. The thinking is that as long as financial institutions maintain operations, the rest of the economy will continue to thrive.
Groups Affected by DORA
The act has an extensive reach. It affects fintech companies, financial services and insurance, lenders, trading venues, financial system providers, crowdfunding, crypto, the financial services supply chain, investment firms, payments, and credit rating agencies.
Financial services companies outside the EU are not affected unless they supply EU financial institutions, in which case they will be, no matter where in the world they are physically located. That means US companies working in Europe will be affected.
The concept of DORA is great; It protects financial institutions and safeguards the wider economy. In practice, because no one has done this kind of thing before, it may leave organizations wondering exactly what they need to do. Like any piece of documentation, there will be some parts that organizations will implement differently — each hoping that they will be compliant with the legislation.
DORA as an Opportunity
For the organizations affected by DORA, they should treat it as an opportunity rather than a burden. After all, isn’t it better to adopt best practices rather than hope that your company won’t get caught out, and continue working the way you always have? The metaphor is skating on thin ice, and hoping your company doesn’t fall through! Once the legislation is active and shown to be working, it wouldn’t surprise me to find other parts of the world introducing similar acts. In the meantime, good luck to all those people involved in preparing for DORA.
Regular Planet Mainframe Blog Contributor
A popular speaker, blogger, and writer, Trevor is CEO of iTech-Ed Ltd. He has an extensive 40-year background in mainframes and IT, and has been recognized as an IBM Champion from 2009–2024 for his leadership and contributions to the Information Management community.