DORA 2025: How’s Your Operational Resilience Holding Up?

The EU’s Digital Operational Resilience Act (DORA) is intended to improve the way financial institutions manage data so that they are more resilient against ransomware and other cybersecurity threats.

DORA

5 minutes
image_pdfimage_print

We’ve all seen how ransomware can bring businesses, local governments, and other organizations to their knees. In 2023, European countries were some of the most targeted by ransomware; and security has been high on the agenda for EU governments and businesses. The European Union’s Digital Operational Resilience Act (DORA) is intended to improve the way financial institutions manage data so that they are more resilient against ransomware and other cybersecurity threats. 

What Does DORA Do? Here’s a Refresher

DORA closes a critical gap in data management for banks. Before DORA, financial institutions did not manage all components of operational resilience—they managed operational risk only as it related to the allocation of capital. 

Once companies are required to be in compliance with DORA in early 2025, banks’ responsibilities for operational risks will expand to include protection, detection, containment, recovery, and repair capabilities against information and communication technologies (ICT) incidents. DORA explicitly refers to information technology risks and creates rules for risk management, incident reporting, operational resilience testing, and third-party risk monitoring. 

Complying with DORA is vital for banks based in or doing business in the EU, but compliance is about much more than simple data backup. To be prepared, financial institutions must find a new way to address security. They must have a plan, ready for execution, in a “day after attack” situation.

A New Resiliency Framework 

DORA is organized around five functional areas that form the foundation of a comprehensive digital resiliency framework for banking organizations:

  • ICT risk management. Organizations must set up systems and processes to manage risks associated with ICT and manage their systems for resilience. DORA includes specific requirements for continuous risk assessment, prompt detection of anomalous activity, and establishment of detailed business continuity and incident recovery plans.
  • Incident reporting. DORA directs organizations to monitor and log all ICT-related incidents, and to report them to the relevant authorities using standardized methods. Reporting requirements extend beyond regulators to include clients, partners, and investors.
  • ICT resilience testing. DORA requires periodic testing of ICT systems. The results must be reported, and any weaknesses, gaps, and vulnerabilities must be patched or otherwise remediated, a process which also must be reported on. 
  • Third-party risk management. To help regulate the digital supply chain, DORA applies not just to banks and other financial institutions, but also to support services providers such as payment processors, hyperscalers, and software vendors, who are all required to publish detailed service level descriptions including details needed for data compliance. If they serve the financial industry, they’re covered by DORA. 
  • Information sharing. DORA guidelines encourage collaboration among financial entities and their strategic partners and suppliers to help combat breaches, fortify defenses, and share lessons learned from incidents.

Takeaways for Financial Institutions

The depth and breadth of DORA is an ambitious use of regulatory power, which means the road to compliance may be a bumpy one. As we’ve seen, DORA’s reporting requirements are extensive. They are also stringent in terms of frequency, time frames, and technical detail.

DORA regulates the entire financial services industry, not just the big banks at the top of the market. DORA also specifies deep involvement of related parties within organizations. For example, incident response rules apply to the entire organization, including legal, and marketing, and other departments—not just IT.

While DORA has an understandable emphasis on cybersecurity, we all know that it doesn’t necessarily take a bad actor to cause problems. DORA views cybersecurity holistically: any incident, whether a hacker’s breach, simple human error, or mismanaged change, is cause for reporting and compliance.

Beyond the Firewall: Insights and Strategies from Leading CISOs

Challenges with Legacy Data Storage

Major stumbling blocks for organizations’ response plans are the limitations in current architecture. Today, many banks have architecture based on a legacy approach to data management, where the main objective was to move as fast as possible from expensive to cheapest (from production to tape). The key metric of success was a low cost of ownership. 

The major downside to only considering cost was that all other topics fall by the wayside. Business continuity, performance, simplicity, risk management, and ESG weren’t part of the equation. 

The lasting implications of this approach are having a major impact on banks, as they need to catch up to today’s data challenges. Big data, fraud analysis, and regulatory requests put pressure on scarce resources. The banks’ original intention with creation of the data storage stack was to save costs, but legacy architecture is having the opposite effect: It’s actually increasing cost of ownership. 

Beyond Backup

Previously, security was based on a “drawbridge” design. Banks (and other companies) built walls to protect their IT. It was the time of firewalls, appliance merging routing, IP spoofing, antivirus detection, and more. But a key issue was not addressed in the “drawbridge” approach: a framework for steps to take in the wake of a security breach. 

Modern data protection filled this gap in response to new security challenges. A critical part of preparing for resilience in the wake of cyberattacks is building the capability to ensure business continuity. 

A Platform for Speed and Strategy for Business Continuity

The new context of DORA calls for financial institutions to define rules that allow simpler and more fluid data management. The first step is to redefine different data classification, with unique data moving easily from one category to another, following business requirements (from very hot to very cold). 

Flash media solutions totally change the way we address data agility across silos. Flash performance and reliability enables a new way of working that financial institutions can benefit from now, which will also set them up for future challenges—all at a competitive cost, even for cold data.  

Embedded features from Pure Storage are perfectly adapted to business continuity, allowing the financial industry to address business continuity for data, without compromise. And Pure Storage’s focus on simplicity, flash memory deployment can happen surprisingly quickly, an important point in light of DORA’s time frame requirements and rapidly approaching 2025 launch.Learn more about preventing, responding to, and recovering from operational disruptions in the Pure webinar, “A New Era for Banking Security: Essentials to Strengthen Operational Resilience.”.

Written By: