Resilience Compliance – Understanding DORA
For financial institutions, data and technology have become irreplaceable for effective business and operations. However, with vast interconnected networks of systems for banking, borrowing and investing — organisations which have come to depend on one another are now highly susceptible to concentration risk.
Our advancement from the abacus has introduced new avenues for attack and interference to the financial world. In Databarracks’ most recent Data Health Check, we found that just under half of banking and finance organisations surveyed had experienced a cyber attack in the last 12 months.
The importance of resilience cannot be understated, and this fact hasn’t been missed by EU regulators. With the introduction of the Digital Operational Resilience Act (DORA), they aim to deliver a consistent framework for cybersecurity and incident response across the region.
What does it cover?
With the core objective to strengthen financial entities’ (and supporting service providers’) resilience to ICT risks, the act proposes measures to ensure robust cybersecurity and resilience capabilities.
Broadly speaking, these fall into the following categories:
- ICT Risk Management
- ICT-related incident management, classification and reporting
- Digital operational resilience testing
- Managing of ICT third-party risk
- Oversight of critical third-party providers
- Information sharing
Who does it apply to?
Not only does DORA apply to traditional financial institutions — including banks, investment firms, and lenders — it will also require other regulated businesses such as cryptocurrency firms and crowdfunding platforms to achieve compliance.
Third parties that serve financial institutions are also subject to regulation, for example cloud service providers and data centres, as well as managed service providers (MSPs) which provide data, insights and/or analytics.
In practical terms, the new regulations apply to all financial market participants, with some minor exemptions for “very small enterprises.”
When does it apply?
DORA entered into force on the 16th January 2023. Both financial entities and third-party service providers are expected to be compliant by the 17th January 2025.
How can Databarracks help you to achieve compliance?
As the technology and business resilience specialist, Databarracks is well equipped to support organisations as they work towards DORA compliance — wherever they are in the journey.
This includes trusted services and expertise in Business Resilience, Backup as a Service (Baas), Disaster Recovery as a Service (DRaaS) and Public Cloud Services.
Business Continuity Planning
- DORA requires organisations to have a thoroughly established ICT Business Continuity Policy with tailored response and recovery procedures.
- Our Business Continuity as a Service (BCaaS) and wider services for Business Resilience align our expertise with your organisation to constantly monitor, assess and update plans as necessary.
- We help you to identify the critical operational and technical risks facing your organisation, then implement mitigation strategies and practical responses to address them.
Risk Management
- Databarracks’ Business Resilience Services can help you to maintain the high standards of availability, authenticity, integrity and confidentiality of data required by DORA.
- These services include Enterprise and Operational Risk Assessments, as well as policies, strategies and frameworks for Risk Management and IT Resilience.
Disaster Recovery (Article 11)
- Article 11 of DORA stipulates that financial entities must have thoroughly tested ICT continuity plans for response and recovery that are regularly reviewed and amended.
- Databarracks’ Business Resilience Services and DRaaS combine the best of cloud computing with expert guidance, training and strategy — helping our customers to become Resilient By Design.
Backup and Recovery (Article 12)
- With Databarracks’ BaaS, organisations gain access to a secure, immutable, air-gapped and automated offsite backup solution to comply with DORA standards for restoration policy and procedures.
- For further resilience, Jump-Start enables automated recovery in Microsoft Azure using Infrastructure as Code.
Third-Party Contractual Agreements
- Third-party service providers must follow appropriate information security standards for DORA compliance.
- They are also obligated to provide assistance at no cost in the event of an ICT incident, while offering full cooperation with relevant authorities.
- Databarracks offers a Supplier Continuity Assessment for full review of specified critical supplier continuity and recovery capabilities.
- Gap analysis is also available to show where critical suppliers can meet, and where there are risks against, DORA requirements for continuity and recovery.
To discover how we can help you to achieve DORA compliance, or for any other inquiries related to ensuring your IT resilience and continuity, contact us today.
You can also download our full DORA datasheet here.