top of page

Understanding DORA: A Guide to Compliance

Introduction

In the rapidly evolving landscape of financial services, resilience and security have never been more critical. The Digital Operational Resilience Act (DORA) represents a significant step forward in ensuring that financial entities within the European Union can withstand, respond to, and recover from all types of Information and Communications Technology (ICT)-related disruptions and threats.


This article provides an exploration of DORA, covering its applicability, the five pillars of the framework, key compliance dates, the implications of non-compliance, and Maxava solutions can play a crucial role in achieving compliance.


Understanding DORA: A Guide to Compliance

Who Does DORA Apply To?

DORA applies broadly across the financial sector within the European Union. This includes a wide range of entities, including:


  • Banks and credit institutions 

  • Payment institutions 

  • E-money institutions 

  • Investment firms 

  • Insurance and reinsurance undertakings 

  • Central securities depositories 

  • Credit rating agencies 

  • Crowdfunding service providers 

  • ICT third-party service providers to financial entities 


Essentially, any organization involved in financial services or supporting financial entities through ICT services must adhere to DORA regulations. This expansive scope underscores the importance of operational resilience in maintaining the stability and integrity of financial systems.


The Five Pillars of DORA

DORA's regulatory framework is structured around five key pillars, each addressing a critical aspect of digital operational resilience.


1. ICT Risk Management 

Financial entities are required to establish robust ICT risk management frameworks. This involves identifying, assessing, and managing ICT risks, including cyber threats. Key components include: 

 

  • Risk identification and assessment processes 

  • ICT security policies and controls 

  • Incident management and response procedures 

  • Continuous monitoring and improvement 

 

2. ICT-related Incident Reporting 

DORA mandates timely reporting of significant ICT-related incidents to competent authorities. This ensures that authorities are aware of disruptions that could impact the financial stability of the EU. Essential elements include: 

 

  • Defined criteria for classifying incidents as significant 

  • Procedures for internal and external communication 

  • Timelines and formats for reporting 

 

3. Digital Operational Resilience Testing 

Regular testing of ICT systems and controls is crucial for identifying vulnerabilities and ensuring preparedness for potential disruptions. This pillar includes: 

 

  • Periodic and comprehensive testing of ICT systems 

  • Use of various testing methodologies such as vulnerability assessments, penetration testing, and scenario-based testing 

  • Involvement of independent third parties for critical systems 

 

4. ICT Third-party Risk Management 

Given the reliance on third-party ICT service providers, DORA requires financial entities to manage and mitigate risks associated with these external partners. This involves: 

 

  • Due diligence and risk assessment of third-party providers 

  • Clear contractual agreements outlining security and resilience requirements 

  • Continuous monitoring and evaluation of third-party performance 

 

5. Information Sharing 

Collaboration and information sharing among financial entities and authorities are vital for enhancing collective resilience. DORA encourages: 

 

  • Sharing of threat intelligence and best practices 

  • Participation in information-sharing arrangements and forums 

  • Collaboration with relevant authorities and other stakeholders


Key Dates for Compliance 

Understanding the timeline for DORA compliance is crucial for financial entities to prepare adequately. Key dates: 

 

January 2023: DORA enters into force. 

January 2024: Financial entities must comply with the provisions of DORA. 

January 2025: Deadline for implementing ICT third-party risk management frameworks and the date compliance is expected. 

 

These dates highlight the urgency for financial entities to develop and implement comprehensive strategies to meet DORA requirements.


The Cost of Non-Compliance 

Non-compliance with DORA can have severe consequences for financial entities. Potential costs include:


Financial Penalties 

Regulatory authorities are empowered to impose significant fines on entities that fail to meet DORA requirements. These fines can be substantial, potentially reaching millions of euros, depending on the severity and impact of the non-compliance with fines of up to 1% of the provider's average daily worldwide turnover in the previous business year. In addition, providers can be fined every day for up to six months until compliance is achieved. 

 

Reputational Damage 

A breach or significant disruption due to non-compliance can severely damage an entity's reputation. Loss of customer trust, negative media coverage, and reduced market confidence can have long-lasting effects on business viability and profitability. 

 

Operational Disruptions 

Inadequate ICT risk management and resilience can lead to operational disruptions, resulting in financial losses, legal liabilities, and disruptions to business continuity. These operational impacts can be particularly damaging in a sector as critical as financial services.


Software and DORA Compliance

Achieving DORA compliance can be aided by the introduction of robust software solutions that enhance operational resilience. Maxava offer a suite of solutions and services that can significantly aid financial entities in meeting DORA requirements.


Enhancing ICT Risk Management 

Maxava’s solutions can help in the ongoing risk management challenge in areas which include:


Automated Monitoring and Alerting 

Continuous monitoring of ICT systems with automated alerts for potential issues, enabling proactive risk management with Maxava Monitor Mi8. In addition, Maxava Security also offers continuous, diagnostic checking, of database tables for suspicious updates, with alerting coupled with automated archiving of before-images prior to each suspicious change. 

 

Recovery Solutions 

Robust IBM i recovery capabilities with Maxava HA are designed to ensure data integrity and availability during both planned and unplanned disruptions. Maxava HA is a high availability and disaster recovery solution designed for IBM i, providing data protection and system resilience. It ensures continuous uptime by replicating data in real-time to a backup system, minimizing downtime and data loss during system failures or planned maintenance. With features like automated monitoring (and fixing), simulated role swap, and switchover capabilities, Maxava HA allows businesses to maintain operational continuity and safeguard critical information. The solution is scalable and flexible, catering to various enterprise needs while integrating seamlessly with existing IT infrastructure.


Facilitating Incident Reporting 

Maxava Monitor Mi8 provides real-time monitoring of IBM i, AIX, Linux and Windows servers coupled with logging capabilities that streamline incident detection and reporting processes.  Automated tracking of incidents, ensuring accurate and timely reporting to authorities. Notifications include email and SMS which can be built into custom escalation paths designed to ensure that any alerts are tackled in a timely fashion. A web-based console adds to alerting capabilities with multiple different views available for support, management and the NOC. In addition, Maxava Monitor Mi8 can interface with existing service desk tools. 

 

Supporting Operational Resilience Testing 

Maxava HA provides simulated role swap capabilities, allowing users to test their disaster recovery plan without incurring downtime and during a normal working day. The term simulated role swap (SRS) refers to a process where production processing remains on the source server while testing occurs on the backup or target server. During an SRS, the source server continues to handle transactions for applications and users. Meanwhile, Maxava HA replicates the changes to the target server using IBM's remote journaling. Unlike a typical replication process where changes are immediately applied, the target server stores these changes and only updates the database after the test concludes. 

 

An SRS test typically involves selected users logging onto the target server to ensure all applications function and behave as expected. This testing is crucial because various issues can arise in high availability (HA) environments, such as the addition of new database fields, changes in applications, or missing user profiles and other critical objects. Frequent testing is essential to maintaining a high level of readiness for any potential emergency.  

Maxava HA of course provides full role swap capabilities enabling businesses to continue to operate in both planned and unplanned outages. 

 

Maxava Monitor Mi8 provides comprehensive monitoring and alerting across IBM i, AIX, Linux, and Windows designed to proactively alert on potential anomalies before they impact the business and identifying areas for improvement. Designed for modern environments but equally comfortable supporting legacy applications and servers, Mi8 is a slick cloud-based solution utilized by both Managed Service Providers and customers around the globe. 


Summary

The Digital Operational Resilience Act represents a pivotal shift in how financial entities manage ICT-related risks and disruptions. With its comprehensive framework encompassing risk management, incident reporting, resilience testing, third-party risk management, and information sharing, DORA sets a new standard for operational resilience in the financial sector. 

 

Compliance with DORA is not merely a regulatory obligation but a strategic imperative for financial entities to safeguard their operations, reputation, and customer trust. The costs of non-compliance are substantial, ranging from financial penalties to reputational damage and operational disruptions. 

 

Leveraging Maxava solutions in Maxava HA, Monitor Mi8, and Maxava Security can significantly aid financial entities in achieving and maintaining DORA compliance. By enhancing risk management, streamlining incident reporting, and supporting resilience testing, Maxava helps provide a robust foundation for Dora compliance. 

 

Maxava HA, Monitor Mi8, and Maxava Security are powerful solutions that can be utilized independently to enhance aspects of your business operations. However, integrating these solutions can unlock significant synergies, providing even greater benefits. By combining Maxava's offerings, businesses can achieve a more robust, efficient, and secure environment, leveraging the strengths of each solution to complement and reinforce one another. 

 

As the financial sector navigates the complexities of DORA, a proactive and strategic approach to compliance will be essential. Investing in the right technologies and processes will not only ensure adherence to regulatory requirements but also fortify the resilience and stability of financial entities in an increasingly digital and interconnected world. 

 

 

This article is written by Ash Giddings, Product Manager at Maxava

 

Comentários


bottom of page