Enhancing Business Continuity with the Digital Operational Resilience Act

Leave a Comment / By /

In the digital age, cybersecurity is not just about protecting data; it’s about ensuring that the very fabric of our financial systems remain intact and resilient against threats. The introduction of the Digital Operational Resilience Act (DORA) by the European Union marks a significant milestone in the journey toward a safer and more stable financial ecosystem. The financial services sector, together with their cybersecurity and resilience structures, has witnessed firsthand the evolution of digital threats and the increasing sophistication of cyber adversaries. It is against this backdrop that we delve into the importance of DORA and its potential to redefine the landscape of financial services, cybersecurity, and resilience.

Understanding the DORA Act and How it’s Enforced

DORA was formally ratified in November 2022 by the European Parliament and Council of the European Union, which are the legislative entities in charge of passing laws inside the EU. Enforcement has now begun, as financial firms and outside ICT service providers have had until Jan. 17, 2025, to comply with DORA.

DORA emerges in response to the growing dependency of financial entities on information and communication technologies (ICT). DORA aims to standardize the digital operational resilience framework across all EU member states, ensuring that financial institutions can withstand, respond to, and recover from ICT-related disruptions and threats.

At its core, DORA focuses on several key areas:

  • ICT risk management: Establish stringent requirements for financial entities to identify, manage, and mitigate ICT risks and embed resilience into the design of ICT systems.
  • Incident management and reporting: Mandate timely detection, response, and reporting of significant cyber incidents to the relevant national and EU authorities.
  • Digital operational resilience testing: Introduce rigorous testing requirements to assess the resilience of financial entities against cyberthreats. Then, validate the effectiveness of ICT systems under stress.
  • Third-party risk management: Enhance oversight and management of ICT third-party service providers, including cloud computing services. 
  • Information sharing and collaboration: Foster collective resilience through shared intelligence and collaboration between financial entities, regulators, and ENISA (i.e., EU Cybersecurity agency).
  • Governance and oversight: Ensure board-level ownership of resilience and establish clear roles for senior management and dedicated resilience officers.
  • Compliance and oversight: Align with EU-wide standards and regulatory expectations to achieve harmonized supervisory practices across EU member states.

The European Supervisory Authorities (ESAs) play a central role in implementing and enforcing the DORA. The ESAs — comprising of the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA) — act as the regulatory backbone of DORA to ensure harmonized oversight and compliance across the EU financial sector.

The enforcement of the standards will be left to the “competent authorities,” or designated regulators in each EU member state after they are finalized. Financial entities may be asked to take security precautions and address vulnerabilities by the appropriate authorities. In addition, entities that disobey will be subject to administrative penalties as well as criminal penalties in certain situations. These penalties will be decided separately by each member state.

ICT providers that the European Commission has classified as “Critical Third Party Providers” (CTPPs) will be under the direct supervision of lead overseers from the ESAs. Lead overseers have the same authority as competent authorities to demand security measures, corrective actions, and penalties from non-compliant ICT providers. These include:

  • Assess CTPPs’ resilience, security, and governance.
  • Conduct inspections and impose corrective measures if needed.
  • Maintain a public EU-wide register of critical providers.
  • Ensure consistent oversight across EU member states to prevent regulatory arbitrage.

If a critical ICT third-party provider fails to comply with DORA, the following penalties and corrective measures may apply:

  • Binding recommendations and corrective actions
    • The lead overseer can issue binding recommendations for remediation.
    • Failure to implement corrective actions can lead to escalation measures, including restrictions on service delivery.
  • Fines and eriodic penalty payments
    • CTPPs can face periodic penalty payments of up to 1% of their average daily worldwide turnover for each day of continued non-compliance.
    • These payments continue for up to six months to enforce corrective measures.
  • Temporary or permanent service restrictions
    • If the ICT provider’s failure poses a significant risk to financial entities, the lead overseer can impose:
      • Temporary restrictions on providing services.
      • Permanent prohibitions on servicing EU financial institutions.
  • Public disclosures and reputation damage
    • Supervisors may publicly disclose non-compliance, which can damage the provider’s reputation and trustworthiness.

Who Needs to Comply with the DORA Act?

DORA is designed primarily for entities within the financial sector of the EU. It aims to ensure that all participants in the financial system have the necessary safeguards and mechanisms to effectively manage cyberthreats. Here is a breakdown of entities that need to comply with DORA:

  • Credit institutions: This includes banks and other financial institutions that offer credit facilities. These organizations are required to ensure their digital operations and services are resilient against cyberthreats.
  • Payment institutions: Organizations that provide payment services need to comply with DORA to protect payment processes from cyber disruptions.
  • Electronic money institutions: Firms that issue electronic money to facilitate electronic payments or provide related financial services that fall under DORA’s scope.
  • Investment firms: Companies that offer investment services, including brokerage services, portfolio management, and investment advice, must adhere to DORA’s requirements.
  • Crypto-asset service providers: With the increasing integration of cryptocurrency into the financial system, entities that provide services related to crypto-assets are also required to ensure operational resilience.
  • Insurance and reinsurance companies: Insurers and reinsurers need to comply with DORA to protect their operations from ICT-related risks and ensure they can continue to provide services even during cyber incidents.
  • Central security depositories and central counterparties: Entities involved in the post-trade processing of security transactions must ensure their digital and operational resilience.
  • Trading venues: This includes stock exchanges and other platforms where financial instruments are traded. These areas must have measures in place to mitigate cyber risks.
  • Third-party service providers: Although not directly regulated by DORA, third-party providers, including cloud services and regulated financial entities are indirectly affected. Financial entities must ensure their third-party partners also adhere to resilience standards that comply with DORA.
  • Other financial market participants: This includes a broad category of other entities who are engaged in financial activities that are critical to the financial market’s infrastructure, and they are subject to regulatory oversight to ensure operational resilience.

DORA sets a comprehensive framework for operational and digital resilience across the financial sector, which reflects the EU’s commitment to safeguarding financial systems against ICT and cyberthreats. Compliance with DORA not only enhances the resilience of individual entities but also contributes to the stability and integrity of the financial market as well.

DORA’s Implications for Financial Entities

For financial institutions across the EU, DORA is not just another regulation — it is a transformational shift toward a more unified and robust approach to cybersecurity. By harmonizing requirements, DORA aims to level the playing field and ensure that all entities, regardless of size or complexity, adhere to high standards of digital resilience.

The implementation of DORA will undoubtedly present challenges, particularly for smaller institutions that may lack the resources of their larger counterparts. However, it also offers an opportunity to strengthen defenses, improve incident response mechanisms, and foster a culture of continuous improvement and resilience.

 A Cybersecurity Veteran’s Perspective

Drawing on years of experience in the trenches of cybersecurity and resilience, we view DORA as a critical step forward, and a very necessary one. Operational resilience is about more than just preventing attacks; it’s about ensuring that financial services can continue to operate effectively, even in the face of disruption. DORA’s comprehensive approach to risk management, testing, and third-party oversight reflects a deep understanding of the multi-faceted nature of modern cybersecurity.

Looking ahead, we anticipate that DORA will drive innovation in cybersecurity practices and technologies. As financial institutions work to comply with DORA’s requirements, we are likely to see an increase in the adoption of advanced cybersecurity and cyber resilience practices, processes, and solutions.

Practical Steps Toward Compliance

Achieving compliance with DORA requires a structured and cross-functional approach. Below is a practical, step-by-step roadmap to help organizations align with DORA’s requirements, focusing on ICT risk managementincident responsethird-party oversight, and resilience testing.

  • Assess current state and gap analysis

Map DORA requirements

  • Review DORA’s five pillars and cross-reference them against your current processes.
  • Identify gaps in your control environment.

Prioritise risks

  • Classify ICT assets and systems by criticality.
  • Conduct a Business Impact Assessment (BIA) to understand potential disruptions.
  • Build governance and policies

Assign accountability

  • Appoint a Chief Resilience Officer (CRO) or steering committee to oversee DORA compliance.
  • Define roles for IT, risk, legal, and compliance teams.

Develop an ICT risk management framework

  • Create policies for identifying, assessing, and mitigating ICT risks.
  • Integrate resilience into business continuity plans.
  • Strengthen incident management

Implement incident mangement reporting processes

  • Establish workflows to detect, classify, and report major ICT incidents to regulators within 24 hours.
  • Develop tools to enable real-time montoring.

Build playbooks

  • Draft incident response plans with escalation paths, communication protocols, and post-incident review processes.
  • Train staff via tabletop exercises.
  • Operational resilience testing

Conduct regular testing

  • Perform annual Threat-Led Penetration Testing (TLPT) for critical systems.
  • Run scenario-based simulations to test recovery procedures.

Remediate vulnerabilities

  • Prioritize fixes based on risk severity.
  • Implement document remediation efforts for audit purposes.
  • Manage third-party risks

Audit third-party providers

  • Maintain a register of critical ICT vendors.
  • Ensure contracts include DORA-aligned clauses (e.g. service level agreements (SLAs), audit rights, exit strategies, etc.).

Due dilligence and monitoring

  • Assess the vendor’s cybersecurity practices.
  • Monitor subcontractors to avoid hidden risks.
  • Foster collaboration and information sharing

Join threat intelligence networks

  • Participate in industry forums like the Financial Services Information Sharing and Analysis Center (FS-ISAC).
  • Document and audit

Maintain compliance records

  • Document risk assessments, test results, incident reports, and third-party audits.
  • Prepare for regulatory reviews by national authorities, or the ESAs.

Conduct internal audits

  • Review compliance annually by using checklists that are aligned with DORA requirements.
  • Continuous improvement

Update risk assessments

  • Reassess risks quarterly or after major changes.

Stay informed

  • Monitor updates to DORA’s Regulatory Technical Standards (RTS) and guidelines from ESAs.

Veeam as Part of the Solution

As the most trusted provider of backup, recovery, and data management solutions, Veeam is well positioned to help meet the rigorous regulatory mandates prescribed under DORA. Veeam, together with its partners and system integrators, helps deliver market-leading and integrated backup, recovery, and data management solutions as part of an overall transformation and compliance strategy.

Together, we can craft the right solution that ensures that unique data protection and regulatory needs are met. Our joint offerings ensure that digital transformation and compliance initiatives are facilitated, disaster recovery (DR) plans and orchestration directives are accomplished, and business continuity plans are delivered.

Together, we protect against cybercrime and drive business continuity while ensuring that data is always protected and available, no matter where it is located. Our solutions offer workload management through a single platform that works for cloud, virtual, physical, SaaS, and Kubernetes environments too.

Some of the benefits include (but are not limited to):

  • Article 9: Protection and Prevention: Implement strong ICT security measures to protect critical systems and data and ensure high standards of availability, authenticity, and integrity of confidential data, whether at rest or in transit.

Veeam Recovery Orchestrator creates an orchestrated DR architecture to ensure business continuity and resilience to support the availability of ICT systems.

Network transport encryption also ensures end-to-end security in the means of data movement, both at rest and in transit.

Veeam’s SureBackup and Disaster Recovery Orchestrator both test and validate that your data is recoverable, which effectively minimizes the risk of corrupt data. Veeam’s Hardened Repository also guarantees that your data is always available via immutability.

Veeam’s AI/ML-powered malware detection adds an extra layer of protection to backup data by identifying and isolating infected files before they can be restored, thus preventing the spread of malware and ensuring the integrity of your backup data.

  • Article 10: Detection: Entities must have mechanisms that identify potential vulnerabilities and anomalous activities such a plausible cyberthreat, and put security controls into place to protect against these risks.

Veeam ONE provides powerful monitoring, analytics, and alerting to detect ransomware or anomalous activities in both the production environment and backup and recovery process.

Built-in alerts can notify you of any anomalous activities and drastic performance changes in your environment, since they may be an indicator of a threat.

Incident response protocols can be configured to trigger an automatic remediation process to isolate the threat of ransomware activity.

Our AI/ML-powered malware detection bolsters an organization’s ability to detect sophisticated and evolving threats that may evade traditional signature-based detection methods. By leveraging machine learning algorithms, Veeam can identify patterns and anomalies that are indicative of malware, even in previously unknown or zero-day threats. This improves overall detection capabilities and helps organizations meet DORA’s requirements.

Furthermore, our AI/ML-powered malware detection enhances an organization’s risk management processes by proactively identifying and flagging potential malware in backup data. This allows organizations to take swift action to isolate and remediate threats and minimize the risk of data breaches or operational disruptions.

  • Article 12: Backup policies and procedures, restoration and recovery procedures and methods: ICT business continuity policy requires backup policies, restoration, and recovery.

Backup policies and procedures: Specify the scope of the data subject to the backup and minimum frequency of the backup, based on the criticality of information or the confidentiality level of the data.

Veeam Platform backup is policy-based and defines the timing, scope, and target of backups. It covers backup frequency and recovery methods and meets organizational SLA requirements too.

Veeam’s feature set includes backup verification to ensure the success of your backups.Veeam’s enabling technology protects against cybercrime and drives business resiliency across any platform, whether that be on-premises, cloud, hybrid, and multi-cloud.

Recovery methods: In determining the recovery time objectives (RTOs) and recovery point objectives (RPOs) for each function, consider whether it is a critical or important function, and the potential overall impact it has on market efficiency. These objectives ensure that, even in extreme scenarios, the agreed service levels are met.

Veeam’s platform minimizes data and transaction loss. Veeam has multiple ways to recover either automatically or manually depending on your specific business need.

Veeam offers data security options that include: Backup, replication, storage snapshots, and CDP which provides minimum RTOs and RPOs based on your need.

  • Threats to email and domain security: Recognize and mitigate any reasonably identifiable circumstances that could lead to an event that could compromise the digital operational security of the firm.

Veeam offers backup and protection of Entra ID and Microsoft 365 data which includes Exchange Online (mailbox and archive), OneDrive for Business, SharePoint Online, and Teams, as well as on-premises installations of Microsoft Exchange Server and Microsoft SharePoint Server.

Veeam Backup for Microsoft 365 protects Microsoft 365 backups from threats and offers granular restores to any location, whether on-premises or on a cloud platform.

Please contact us for more detail on functionalities and capabilities.

Summary

DORA is more than just a regulatory requirement; it is a blueprint for a more secure, resilient financial sector. As we navigate the complexities of the digital age, the principles underpinning DORA will undoubtedly play a crucial role in shaping the future of cybersecurity and resilience. For financial institutions, the path to compliance is also a path toward greater operational resilience that can offer a competitive advantage in an increasingly uncertain world.

By embracing the challenges and opportunities presented by DORA, we can ensure that our financial systems are not only protected against current threats but are also prepared to face the challenges of tomorrow.

The post Enhancing Business Continuity with the Digital Operational Resilience Act appeared first on Veeam Software Official Blog.

from Veeam Software Official Blog https://ift.tt/pxvI53U

Share this content:

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top