The Digital Operational Resilience Act (DORA) is a new security standard that addresses an important issue in the EU financial regulation and is transforming the way financial institutions approach digital resilience[¹]. As an IT practitioner working in the Banking, Financial Services, and Insurance (BFSI) sector, understanding the complexity of DORA is vital, as it impacts daily operations, security protocols, compliance measures, and more. This guide provides a focused overview of DORA, emphasizing the most relevant areas to IT practitioners working in the financial space.
On September 24, 2020, the European Commission published its draft Digital Operational Resilience Act (DORA) as part of the Digital Finance Package (DFP).
On 28 November 2022, the European Council adopted DORA after the European Parliament voted in favor of the act[²].
DORA entered into force on January 16, 2023[¹].
Regulatory and implementing technical standards are defined and issued by the European Supervisory Authorities (ESAs). They will provide entities with specifications and guidance on how to implement specific DORA requirements.
Given the 24 months period to implement since entering into force in 2023, financial entities are expected to be compliant with DORA by January 17, 2025.
Key Responsibilities Under DORA
The following responsibilities under DORA summarize the key areas where IT practitioners must focus their efforts, ensuring not only compliance but also a resilient, secure digital operational environment within the financial industry.
- Digital Resilience Testing ensures that systems are regularly tested to identify vulnerabilities and assess resilience against potential disruptions. IT practitioners must develop and oversee protocols that include stress tests and scenario analyses.
- Incident Reporting & Management includes creating and managing strategies for a prompt response to significant digital incidents. This includes coordinating with relevant stakeholders and complying with DORA's reporting requirements.
- Third-Party Risk Management calls for conducting thorough assessments and continuous monitoring of risks related to third-party service providers. IT practitioners must establish and enforce risk management protocols to align with DORA's standards.
- Technology Investments entail aligning with up-to-date technology standards for risk detection, prevention, and mitigation. IT practitioners are responsible for evaluating, selecting, and implementing necessary technologies and tools that adhere to DORA's requirements.
Challenges to DORA Compliance
A. Compliance Complexity
Understanding and complying with DORA's various rules and regulations can be a complex task. Its various provisions, covering different aspects of digital resilience, lead to complexities in understanding exactly what is required and how to implement it.
B. Integration with Existing Systems
Seamless integration of DORA's rules may require modification to the existing systems and processes. This involves a potentially complicated alignment with the current IT infrastructure, including changes to data handling, security protocols, and more, which can be difficult and time-consuming.
C. Cost Implications
Complying with DORA's requirements involves significant financial investments in technology, training, and staffing. Meeting these compliance needs with budget constraints, especially for smaller institutions, presents a considerable challenge and requires careful financial planning and management.
Solution: Compliance Automation
Software solutions can be designed to monitor, assess, and report compliance with regulatory requirements. They can automate a wide range of tasks, from routine checks to complex reporting. Automated compliance tools such as these will likely be essential for managing DORA's complex requirements, both in the near future and beyond.
Due to the complexity that the process of achieving compliance presents, IT practitioners in the BFSI sector will need an automated compliance solution that can help them to be proactive, consistent, efficient and accurate in maintaining their compliance posture. Moreover, they will remove the ‘human error’ factor from the equation and will save time and effort, as well as be able to focus more on growth drivers.
Runecast now provides DORA compliance checks for VMware vSphere and NSX, as well as Windows and Linux OS
With the release of Runecast 6.7 on August 18, 2023, the AI-powered automation platform was the first to offer automated DORA compliance checks for your vSphere and NSX environments3. With the release of Runecast 6.8 on November 7, 2023, DORA compliance coverage was extended also to Windows and Linux operating systems.
This will give IT teams time to prepare for the coming legislation, which goes into effect on January 17, 2025, and will apply to all EU members in the financial sector.
Runecast customers can now say goodbye to complex, time-consuming audits, the costs associated with both manual preparation and the possibility of noncompliance penalties, and the overwhelming tasks required to achieve and maintain continuous compliance.
Runecast is a patented solution that helps organizations to keep their workloads secure and compliant anywhere. Our mission is to lead organizations into the future by pioneering proactive technologies and approaches that help them stay ahead of emerging threats. Runecast is a Gartner Cool Vendor, referred to by several experts as a ‘must-have’ solution for VMware-based environments.
Runecast is at the forefront of Cloud Native Application Protection Platforms (CNAPPs) and proactively assists with Cloud Security Posture Management (CSPM), Kubernetes Security Posture Management (KSPM), Governance, Risk Management and Compliance (GRC), and various other types of strategic approaches to vulnerability management and the strongest-possible security posture. In addition, it provides continuous audits against other common security standards such as CIS Benchmarks, NIST, GDPR, HIPAA, PCI DSS, DISA STIG, BSI IT-Grundschutz, ISO 27001, TISAX, Cyber Essentials (UK), Essential 8 (Australia), and the CISA Known Exploited Vulnerabilities (KEVs) catalog.
- Digital Operational Resilience Act (n.d.). Retrieved from Digital Operational Resilience Act (DORA) Overview
- European Council (November 28, 2022). Digital finance: Council adopts Digital Operational Resilience Act. Retrieved from Digital Finance: Council Adopts Digital Operational Resilience Act
- Based on internal research of industry offerings as of August 2023.
Meet other Runecasters here:
Unlock DORA Compliance Insights
Ensure compliance with Runecast today