The European Union’s (EU’s) Digital Operational Resilience Act or DORA is a key milestone for the future of the cloud in financial services. It acknowledges the vital role cloud technology plays in the delivery of modern banking services. At the same time, DORA highlights the catastrophic risk a service outage could have on not just the customers of an individual bank, but to an entire economy.
The EU shouldn’t be second guessed here – massive GDPR fines have set a precedent and tech firms should be wary. With a supplier list that is still to be finalised but growing, we understand the extent of this at NetApp.
From 2025, countless organisations will face a very real risk of crippling fines should they be at fault. Businesses must start thinking about this now, as penalties will even extend to ICT providers. Proposed fines for non-compliance include a periodic payment of 1% of average daily worldwide turnover.
So, what is DORA? What does it mean for a business and how can they avoid being caught out once it comes into force?
Understanding DORA
Put simply, DORA seeks to address ICT risk management in financial services, and to work in tandem with the existing ICT risk management regulations already in place across the EU.
DORA aims to establish universal foundations and provide a framework for managing and mitigating risks. It will do so by removing the gaps, duplications and any clashes that could arise between various regulations already in place.
By producing a shared set of rules, DORA should make life easier for organisations operating in or on the periphery of financial services. If successful, compliance will strengthen the resilience of the EU’s financial system, and will hold every institution to the same standards.
However, until now, risk management regulations for financial institutions in the EU have primarily focused on ensuring that firms have sufficient recourses and capital to cover operational risks. Despite some proactive steps from EU regulators, such as releasing guidelines on security risk management and ICT, these have not applied to all financial service firms equally. This has resulted in regulators often reliant on broad principles rather than exact, agreed technical standards.
What’s more, with gaps in regulation, we’ve even witnessed individual EU nations issue their own requirements. While this isn’t ideal from a regulatory perspective, poorly considered or patched regulations have made it difficult for organisations in the financial services sector to navigate this area with confidence.
Preparing for DORA
DORA’s scope impacts all financial institutions in the EU. Notably, it also extends to those that have been typically excluded from financial regulations – namely third-party ICT service or systems providers that support financial services organisations, as well as management solutions and cloud providers.
It can be broken into five core pillars, that will be enforced proportionately; 1) ICT risk management, 2) ICT related incident reporting, 3) digital operations resilience testing, 4) ICT third party risk and 5) information sharing.
While this may seem daunting from first glance, it’s important to note that smaller entities will not be held to the same standards as major financial institutions. Information sharing is also encouraged but not required. This is indeed a significant step change not only for the industry, but suppliers too.
The result? Financial firms face a new set of challenges and risks as they get ready for DORA enforcement in 2025.
What does this mean?
Well, these five pillars essentially cover two key areas: resilience and cloud.
For cyber resiliency, DORA wants to minimise the threat of attacks and ask organisations how they can ensure service availability and reporting. Another important aspect is how they can ensure recovery. We’re seeing an increasing number of cyber-attacks, such as ransomware, that leave financial entities in limbo.
An integral approach to DORA’s resilience will be sharing information with both regulators and peers. This is governed by the premise that the more information we share, the more we can increase awareness and protect against possible and emerging threats. This will be familiar and uncomfortable for the sector. Financial entities are more than used to sharing information with regulators, less so with competitors.
The second core area is the industry’s cloud concentration risk. This is particularly interesting, as it is the regulators accepting cloud as an effective platform for financial services. One should only compare this to when people feared putting customer data in the cloud – today, regulators are now accepting that cloud technologies are here to stay.
Perhaps most importantly, DORA intends to establish controls to minimise risks of outages with cloud providers. In turn, the hope is to avoid any impacts a nation’s economy.
How can organisations approach this correctly?
DORA has been approved by the European Parliament, and organisations have just over a year before the legislation comes into force in 2025. Organisations must therefore use this time effectively, and focus on maturing their Digital Resilience Framework. To do this, they should build up their capabilities and processes to ensure they are ready to perform required annual evaluations, tests and reports.
DORA will become the “lex specialis” in this area, meaning it will take precedence over any overlapping regulations like NIS or the ESA guidelines. For companies, this means they should use DORA as the main reference point to avoid any gaps in processes before this regulation comes into force. After that, best practice for ensuring resilience and compliance will be striking a balance between seeing DORA as much a technical challenge as an organisational one.
This means DORA is both cultural and procedural. It’s reliant on the sharing of information and different teams. DORA can’t only be an ICT issue, as teams must be involved to collate and share information well. Doing so will improve their communications, both internally and externally. This is imperative as better collaboration and consultation between teams will underpin successful navigation of DORA. Risk, security, and IT teams will all need to work together in tandem. In fact, achieving the required level of internal cooperation may potentially be a bigger challenge than external reporting.
Investment in perfecting internal governance practice can also help. Organisations with lower maturity on this front will need to invest further resources and money to acquire the capability and capacity to achieve DORA compliance. Addressing this sooner rather than later is the focus for now. If firms fail to adopt a preventive culture attitude, a reactive approach will likely be costly.
Steve Rackham is chief technology officer (CTO) for financial services at NetApp