What the Digital Operational Resilience Act Means for You

We’re at a critical time for digital transformation. Every business in some form or another is looking to adopt and integrate emerging technologies—whether that’s artificial intelligence, hybrid cloud architectures or advanced data analytics—to help achieve a competitive edge and reach key operational goals. But while there’s plenty of excitement and change underway, security risks and vulnerabilities have continued to follow right alongside that innovation. Cyber-attacks and data breaches can wreak havoc in a business’ IT systems, resulting in massive costs to fix the damage and a long-lasting impact to customers that could hamper a company’s growth for years to come.

As security risks grow more complex, government agencies are putting an emphasis on new regulations to help lay out what businesses need to do to protect their IT infrastructure while also establishing IT security standards. Things like the California Consumer Privacy Act (CCPA) or the General Data Protection Regulation (GDPR) have already had a tremendous impact on the urgency around prioritizing security infrastructure.

With that backdrop, let’s take a look at one of the newer security policies set to bring even more change to the way we think about, and approach, IT security—the Digital Operational Resilience Act (DORA). This piece of legislation in the European Union (EU) requires companies to be compliant by January 2025, meaning businesses have just under one year to ensure they’re prepared.

But what exactly does this policy mean for IT security? And how can businesses ensure they’re ready?

What is DORA?

Introduced in 2020—and later enacted in 2022—DORA aims to establish a consistent and common level of digital operational resilience across financial services firms in—or doing business with—the EU. The ultimate goal here being to develop an approach that fosters a standardized structure of technological development. The regulation requires EU financial entities and their critical ICT providers to adopt comprehensive information and communications technology (ICT) risk management capabilities into their security processes. Compliance with DORA will require full adherence to five critical areas of focus outlined in the regulation:

• ICT risk management – This guidance establishes a standard framework for what organizations should do in response to an ICT security incident.
• Reporting of major ICT-related incidents – Regulation defines how organizations will need to classify and report ICT-related security incidents moving forward.
• Digital operational resilience testing – Sets out guidance for testing of existing recovery strategies to identify potential vulnerabilities.
• Information and intelligence sharing – Requires businesses to engage in information sharing around cyber threats and vulnerabilities as they’re identified.
• Management of ICT third-party risk – Tasks firms with ensuring any third-party vendor is aligned with its security and digital resilience capabilities.

So, who needs to adhere to DORA? While it’s an EU policy with ramifications for EU businesses, the impact will undoubtedly affect businesses worldwide. DORA puts a heavy focus on financial organizations in the EU – from banks to insurance companies – but those are not the only businesses that will need to adhere to the policy. Any business that works with EU-based banks, insurers, or financial organizations will also need to maintain compliance, even if they are not actually based in the EU.

Getting prepared

Time is quickly running out for businesses to get their IT and mainframe security infrastructure ready to comply with the regulations specified in DORA. So, with no time to waste, where should they get started? There are several key areas to improve risk management, including:

• Define clear roles and responsibilities: DORA outlines that management bodies will be expected to maintain an active role in adapting their ICT risk management framework and overall operational resilience strategy.
• Implement a periodic review of ICT Business Continuity Policy and ICT Disaster Recovery Policy: Implementing a regular review cadence for ICT business continuity and disaster recovery policies is crucial for effective risk management oversight. According to DORA, “financial entities shall regularly review their ICT Business Continuity Policy and ICT Disaster Recovery Plan taking into account the results of tests carried out in accordance with recommendations stemming from audit checks or supervisory reviews.”
• Consistently review budget related to fulfilling digital operational resilience needs: Preparing for a new set of regulations requires the right resources. As an example, DORA requires a crisis management function that implements clear procedures to manage internal and external crisis communications.
• Implement ICT security tools and processes: Any DORA-focused preparations need to take tools and processes into account. Organizations need to consider legacy systems like the mainframe as well as vulnerabilities that might be leaving the business exposed to excessive risk.

Moving forward, businesses will need to take a much closer look at the IT environments they utilize. Regular penetration testing, integrity assessments, compliance assessments, and vulnerability management, like Rocket^® z/Assure^® Vulnerability Analysis Program, will be critical to maintaining the sort of rigorous compliance that is required by DORA. With the right solutions and processes in place, businesses can be proactive about spotting vulnerabilities in their IT environments and ensure they are faced head-on before a breach can occur.

Is your IT security infrastructure ready for future regulations? With Rocket Software, rest assured you'll have the technology, expertise, services, and support for digital operational resilience and robust risk management oversight.