DORA, with the d of ‘data’ and the a of ‘automate’
From 17 January 2025, the Digital Operational Resilience Act (DORA) does apply. Although its introduction is a done deal, there is still much that is unclear about this European regulation. And this is causing uncertainty among financial institutions that will have to comply.
TEXT: WYTZE RIJKMANS IMAGE: SHUTTERSTOCK
Regardless of how DORA works out, organisations can already take proactive steps now. After all, data and information play a central role in DORA compliance approaches and solutions.
Implementing a regulation is often stressful for organisations. It is not always clear exactly what is expected, and the complexity can be so great that those responsible do not know where to start. At the beginning of a compliance effort, people consider every system to be mission critical, but this is not possible or workable. It is important to properly assess which processes and applications are critical and which are not. Otherwise you can’t see the wood for the trees.
Resilient
Organisations often overestimate what it takes to be operationally ‘resilient’ and underestimate the effort required. Organisations have many blind spots: unmanaged laptops, servers that no one knows are still active, and routers that exchange data with unknown devices. This is why a good asset management system is essential: what endpoints do you have, what are they connected to, how vulnerable are they and what risks do they pose?
It sounds simple: it all starts with data. But many organisations do not have a 100% accurate configuration management database. But it goes beyond devices. You also need to consider workflows, contracts and service level agreements. A simple spreadsheet is no longer enough to manage this complexity.
Wytze Rijkmans is regional vice president at Tanium.
Reporting
Reporting is one of the key obligations under DORA. In the event of a (critical) incident, financial institutions are required to inform the supervisory authorities within a specified time. Reporting means providing information. So here, too, it’s all about data. When time is of the essence, you need relevant and real-time data. Data that is a year old is useful for statistics, but it is useless in the event of an incident. The risk from a year ago is no longer relevant. Therefore, monthly checks are no longer sufficient; they need to be continuous.
Continuous checks are only possible if a large proportion of the tasks are automated. This is another argument in favour of using specialised solutions instead of spreadsheets. Only then is it possible to react quickly and even take corrective action automatically if necessary.
A seperate chapter
Third party or supply chain risks are the subject matter of a separate chapter within DORA. Like any other sector, finance relies on third parties for many of its processes, such as integrators providing SaaS applications. A critical application such as a payment system can easily involve 10 different vendors. The resilience of the payment system is partly guaranteed by the resilience of all these underlying applications. Of course, all these systems and their risks need to be mapped and appropriate agreements made with the suppliers. Again, a spreadsheet is not enough, as you need to record not only clear agreements, but also things like when the relationship starts and ends. Of course, applications that are no longer used should not remain connected to other applications and should be automatically disconnected.
DORA requires a fundamental shift in the way financial institutions approach operational resilience. Organisations can no longer rely on static processes or insufficient tools. Real-time data is essential to manage complexity and respond quickly and accurately to incidents. In addition, automation is no longer an option, but a necessity. Only by automating processes can organisations ensure continuous compliance while improving operational efficiency.
Impact on financial organisations
From 17 January 2025, compliance with the new EU Digital Operational Resilience Act (Dora) will be checked. Preparing for such an important piece of legislation can be difficult for financial organisations of all sizes. But it is also important to be aware of the advantages that will make the compliance process run smoother.
TEXT: OSCAR WIJNANTS
Large financial organisations face several structural challenges that make Dora compliance difficult. Many financial organisations are built on legacy technology that requires significant investment to update.
Easier to manage
Three in four organisations suffer from constraints due to silos and need to improve internal communication to build a structure that’s up to the demands. This requires a new way of working with data and information flowing freely between departments. This makes management easier and increases transparency. If Dora is firmly on the radar of the compliance and IT departments, and seen as an integral part of the business plan, the necessary Dora processes can be successfully implemented.
Older financial institutions also have an advantage when it comes to compliance. The industry is highly regulated and has a strong expertise regarding compliance requirements and regulatory changes. This makes Dora less daunting.
Navigating
The regulatory environment is sometimes different for younger, smaller companies than for larger organisations, resulting in less experience in navigating complex regulations and changes. A lack of established processes or frameworks, as well as scalability issues, can make DORA compliance a challenge. As newer fintech companies expand, compliance efforts need to grow proportionately. Unplanned compliance expansion can be costly and complex, if major adjustments to initial setups and systems are required.
However, smaller cloud-first organisations benefit enormously from their flexibility and adaptability. By starting digitally, they are already compliant with many regulations. Challenges faced by larger organisations, such as working in silos and limited communication, are less of an issue if, for example, unified communications tools have been implemented.
Getting ready
Organisations need to prepare for Dora to be ready as of January 2025. Larger (financial) organisations will gain confidence in Dora compliance as departments collaborate more and experts share their expertise regarding previous regulations. Smaller start-up fintechs will need to perfect the process and rely on their cloud-first approach to meet these necessary compliance obligations.
Oscar Wijnants is director at NetApp Netherlands.
