Digital Operational Resilience Act (DORA)

Resilience and disaster recovery are critical components in the context of the Digital Operational Resilience Act (DORA), which is a European regulation designed to ensure the robustness of the financial sector’s information and communication technology (ICT) systems. The regulation recognises that the blast radius of an incident today is much wider than previously and can not only take out the system and/or entity when the incident occurs, but can also affect down/up-stream entities. Here’s what's important:

1. Preventing Disruptions: Financial services are increasingly reliant on technology, making them vulnerable to cyber-attacks and other ICT incidents. Resilience measures are essential to prevent such disruptions that can affect not only individual entities but also the broader economy.

2. Maintaining Service Continuity: DORA mandates that financial entities must be able to withstand, respond to, and recover from ICT-related disruptions. This ensures that critical financial services remain available to consumers and businesses, even in the face of severe operational disturbances. This is likely to include geographic diversity in how your vendors provide services, data resilience, etc, but above all, the recovery should be practiced one or more times per year. Don't wait for the event.

3. Mitigating Cyber Threats: With the financial sector being a prime target for cyber threats, DORA emphasizes the need for entities to have robust cyber resilience strategies in place to mitigate the risk of cyber-attacks and protect sensitive data. Where in the past, physical security was more than enough to prevent intrusions, we now have to think about harden images/OS's, zero trust, day zero attacks, data theft, etc. Build this into the DevOps pipeline.

4. Harmonizing Standards: DORA introduces harmonized rules across EU member states, ensuring that all financial entities adhere to a consistent level of digital operational resilience. This includes having effective disaster recovery plans to quickly restore services after an incident.

5. Regulatory Compliance: Financial entities must comply with DORA’s stringent requirements by January 2025, so we have nine months of effort left. This includes defining business recovery processes, service levels, and acceptable recovery times to address regulatory compliance and cybersecurity challenges.

In summary, resilience and disaster recovery are not just about compliance with DORA; they are about safeguarding the financial ecosystem, your business neighbours, protecting consumers, and maintaining the stability and integrity of the financial markets in the digital age.