What is the Digital Operational Resilience Act (DORA)?

The vulnerability of the EU‘s banking sector has been a focus topic for the EU already in 2018, when it created the FinTech Action plan: “For a more competitive and innovative European financial sector”. In it, it states:

“… paramount importance of making the Union financial sector more resilient, including from an operational perspective to ensure its technological safety and good functioning, its quick recovery from ICT breaches and incidents, ultimately enabling the effective and smooth provision of financial services across the whole Union, including under situations of stress, while also preserving consumer and market trust and confidence.”

As banking has become more digital, it has become—of course—more dependent on technology. The greater mobility of banking consumers and businesses inside the EU countries, and among the EU countries, has required banking to expand beyond borders and become more interconnected—also their technologies. The increased usage of 3rd party service and cloud providers has made IT landscapes extremely networked and FSI organizations very interdependent. In 2020, the European Systemic Risk Board stated in a report addressing systemic cyber risk:

“… existing high level of interconnectedness across financial entities, financial markets and financial market infrastructures, and particularly the interdependencies of their ICT systems, could constitute a systemic vulnerability because localised cyber incidents could quickly spread from any of the approximately 22,000 Union financial entities to the entire financial system, unhindered by geographical boundaries.”

Dependency on technology for smooth and sound business operations requires high integrity of the technology environment—integrity that can easily be harmed by internal and external threats and risks.

Thus, the passage of DORA to make the EU banking sector less vulnerable and maintain consumer confidence.

The regulation recognizes 5 main areas of action that will be covered here along with some of the requirements.

1. ICT Risk Management: Financial entities are required to set up a comprehensive ICT risk management framework that ensures business continuity, restoration and limited impact.

• Identify, classify and document critical functions and assets
• Continuously monitor all sources of ICT risks to set up protection and prevention measures
• Put in place dedicated and comprehensive business continuity policies and disaster and recovery plans, including yearly testing of the plans

2. ICT-related Incident Reporting: Major ICT-related incidents must be reported, using standardized forms of reporting templates.

• Develop a streamlined process to log/classify all ICT incidents and determine major incidents according to the criteria detailed in the regulation and further specified by the European Supervisory Authorities
• Submit an initial, intermediate and final report on ICT-related incidents

3. Digital Operational Resilience Testing: Entities must submit to regular digital operational resilience testing by independent third parties.

• Annually perform basic ICT testing of ICT tools and systems
• Identify, mitigate and promptly eliminate any weaknesses, deficiencies or gaps with the implementation of counteractive measures
• Periodically perform advanced Threat-Led Penetration Testing (TLPT) for ICT services which impact critical functions. ICT third-party service providers are required to participate and fully cooperate in the testing activities

4. ICT Third-party Risk: This area lays down key principles to monitor risks resulting from ICT third-party service providers.

• Ensure sound monitoring of risks emanating from the reliance on ICT third-party providers
• Report a complete register of outsourced activities, including intra-group services and any changes to the outsourcing of critical services
• Ensure that the contracts with the ICT third-party providers contain all the necessary monitoring and accessibility details such as a full-service level description, indication of locations where data is being processed, etc.

5. Information Sharing: DORA allows financial entities to set up arrangements amongst themselves to exchange cyber threat information and intelligence. The DORA supervisory authority itself will provide relevant anonymized information and intelligence on cyber threats to financial entities.

Besides the obvious challenge of timely DORA compliance with the DORA regulation, an organization will want to strive for synergistic effects such as:

• Cost-efficiency in long-term compliance as assurance that DORA compliance doesn’t compromise business innovation investment
• Leveraging DORA compliance efforts for other OR regulations
• Alignment of compliance efforts with strategic business and IT goals
• Providing benefits to the organization as a whole, such as streamlining IT and business operations, and becoming more agile in delivering innovative business solutions

The above-mentioned synergies—and, of course, compliance—are hard to achieve when:

• IT risk management isn’t tied to the operating model and thus not focused on operational resilience
• There is no visibility into risk coming from 3rd party ICT service providers
• Process and ICT information is scattered across multiple tools and organizations
• There is no understanding of the interdependencies of the IT and business portfolios
• Risk management is not tied to strategic planning and management of the IT portfolio

Unfortunately, there are many misguided approaches that the sheer number of business and IT architecture elements involved make ineffective—approaches such as using spreadsheets, CMDBs and diagramming solutions to try to understand the IT landscape and all its interdependencies. None of these tools provide KPI-based analytics to assess the risk posture of the individual portfolio elements. None give you the big picture and business context to show you the potentially damaging impact of a technology risk. Further, none give you the full picture from business strategy to IT execution in one system to be able to monitor risk mitigation measures. And none give you the ability to properly assess the current situation and plan the path forward.

It’s clear there is effort in complying with DORA. Yet, there's a lot to be achieved in doing so using a holistic approach that includes business process analysis, enterprise architecture and strategic portfolio management for operational resilience:

• Consistent and unified data between several sources to enable transparency and reporting for many and varied regulatory and business purposes
• High degree of transparency that enables fact-based decision-making end-to-end across strategic planning, risk management, IT investment management, change execution and operations
• A clean, streamlined IT and process landscape that incorporates risk consideration into change decisions
• Newfound insights into processes and IT that can be leveraged for improved solution delivery and operations

And consulting companies, such as Bain Research, confirm that it is worth the effort: “DORA offers an opportunity to address deeper underlying issues that raise risk and costs today, by overhauling risk and compliance programs to include intelligent automation and cut back on redundancies and red tape”

And lastly: that capital you need to put aside to cover ICT risk? Wouldn‘t it be great to use it for new business solutions or IT improvements instead?

Yes, there are a lot of internal and external threats. Yet, there are underlying issues that raise risk:

• A complex, intransparent process and IT landscape
• Way too many unnecessary moving parts in the business and IT portfolios
• Business solutions that are developed with no consideration of the potential to introduce vulnerabilities into operations

Are these your goals?

• Ability to identify impact of IT failure on business operations
• Ability to identify risks coming from 3rd party ICT service providers
• Ability to bake risk considerations into IT solution design and IT investments

Then you’ll want to look into ARIS and Alfabet—Software AG’s leading products for business process analysis, GRC, enterprise architecture and strategic portfolio management. Let’s look at how each can help:

Using Alfabet, IT can improve operational resilience by understanding the knock-on effects to business of a technology emergency, e.g., server failure, data corruption or OT (operational technology) failure. Alfabet gives you a transparent view into the interconnectedness of the portfolios of projects, applications, technologies, business strategies, business goals and the IT ecosystem (3rd party service providers),  and how these relate to the enterprise operating model. With newfound visibility, IT can immediately take action to safeguard critical applications, data, business processes, etc. and contain the damage when danger strikes. With Alfabet’s architecture capabilities, you can incorporate threat and risk considerations into your IT planning and solution design. Its 360-degree view of business and IT ensures risk management is performed with full understanding of the consequences to business. When planning risk mitigations, Alfabet lets you identify and manage the risk of change to the IT portfolio—and any potential conflicts.

With ARIS you can define the regulatory requirements and map them to the relevant business processes. You can assess and monitor ICT risks in relation to processes to set up protection and prevention measures like controls. In addition, you can put in place dedicated and comprehensive business continuity policies, disaster and recovery plans including yearly testing of the plans. ARIS also enables evaluation of assessment results and supports reporting to internal and external auditors. In the case of incidents or compliance weaknesses, ARIS offers efficient issue management from detection to solution.

When looking for tool support for your DORA compliance efforts, make sure you’re getting these capabilities.

1. Enterprise Architecture Management: an integrated, cohesive view of how the IT portfolio relates to the business operations and the risks involved.
2. IT Governance: a framework for IT planning and management and the associated risk management.
3. Threat Management: ability to identify threats and relate them to the architecture elements or IT portfolio assets.
4. IT Risk Management: policies and procedures for managing IT’s integrity regarding applications, projects, data, systems, and employees to ensure business continuity.
5. Risk Mitigation: risk assessment, planning and implementation of measures to reduce the overall threat to the enterprise
6. Contract & Vendor Management: knowledge of all service providers including contractual terms and conditions as related to architecture elements and portfolio assets
7. Regulatory Management: Documentation and evaluation of the regulation to analyze requirements and implement measures to comply
8. Self-Assessments: Appraisal of where you stand on your journey by asking the right questions
9. Confirmation Management: Roll-out of defined policies and confirmation that everyone involved has read and understood them
10. Control Testing and Management: Regular testing of controls for effectiveness and follow-up on weaknesses
11. Incident and Issue Management: Incidents can be documented and issues can be triggered and tracked until they’re solved

Hopefully it has become clear that focusing on the immediate situation at the expense of the broader picture—and not considering how the response fits in with the company’s wider mission and purpose—is misguided. Organizations should use their DORA compliance efforts to create a lean and streamlined process and IT landscape and one that is resilient to all types of disruption.

Further, the insights gained for DORA compliance can be used for business innovation and informed decisions on IT change.

Finally, seeing DORA as an ad-hoc exercise that is easily done in a few days will only lead to problems down the line. DORA needs a sustainable approach that continuously examines IT investments, assets, operations and development for threats and risks.