Enhancing Business Continuity with the Digital Operational Resilience Act

In the digital age, cybersecurity is not just about protecting data; it’s about ensuring that the very fabric of our financial systems remain intact and resilient against threats. The introduction of the Digital Operational Resilience Act (DORA) by the European Union marks a significant milestone in the journey toward a safer and more stable financial ecosystem. The financial services sector, together with their cybersecurity and resilience structures, has witnessed firsthand the evolution of digital threats and the increasing sophistication of cyber adversaries. It is against this backdrop that we delve into the importance of DORA and its potential to redefine the landscape of financial services, cybersecurity, and resilience.

Understanding the DORA Act and How it’s Enforced

DORA was formally ratified in November 2022 by the European Parliament and Council of the European Union, which are the legislative entities in charge of passing laws inside the EU. Enforcement has now begun, as financial firms and outside ICT service providers have had until Jan. 17, 2025, to comply with DORA.

DORA emerges in response to the growing dependency of financial entities on information and communication technologies (ICT). DORA aims to standardize the digital operational resilience framework across all EU member states, ensuring that financial institutions can withstand, respond to, and recover from ICT-related disruptions and threats.

At its core, DORA focuses on several key areas:

The European Supervisory Authorities (ESAs) play a central role in implementing and enforcing the DORA. The ESAs — comprising of the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA) — act as the regulatory backbone of DORA to ensure harmonized oversight and compliance across the EU financial sector.

The enforcement of the standards will be left to the “competent authorities,” or designated regulators in each EU member state after they are finalized. Financial entities may be asked to take security precautions and address vulnerabilities by the appropriate authorities. In addition, entities that disobey will be subject to administrative penalties as well as criminal penalties in certain situations. These penalties will be decided separately by each member state.

ICT providers that the European Commission has classified as “Critical Third Party Providers” (CTPPs) will be under the direct supervision of lead overseers from the ESAs. Lead overseers have the same authority as competent authorities to demand security measures, corrective actions, and penalties from non-compliant ICT providers. These include:

If a critical ICT third-party provider fails to comply with DORA, the following penalties and corrective measures may apply:

Who Needs to Comply with the DORA Act?

DORA is designed primarily for entities within the financial sector of the EU. It aims to ensure that all participants in the financial system have the necessary safeguards and mechanisms to effectively manage cyberthreats. Here is a breakdown of entities that need to comply with DORA:

DORA sets a comprehensive framework for operational and digital resilience across the financial sector, which reflects the EU’s commitment to safeguarding financial systems against ICT and cyberthreats. Compliance with DORA not only enhances the resilience of individual entities but also contributes to the stability and integrity of the financial market as well.

DORA’s Implications for Financial Entities

For financial institutions across the EU, DORA is not just another regulation — it is a transformational shift toward a more unified and robust approach to cybersecurity. By harmonizing requirements, DORA aims to level the playing field and ensure that all entities, regardless of size or complexity, adhere to high standards of digital resilience.

The implementation of DORA will undoubtedly present challenges, particularly for smaller institutions that may lack the resources of their larger counterparts. However, it also offers an opportunity to strengthen defenses, improve incident response mechanisms, and foster a culture of continuous improvement and resilience.

 A Cybersecurity Veteran’s Perspective

Drawing on years of experience in the trenches of cybersecurity and resilience, we view DORA as a critical step forward, and a very necessary one. Operational resilience is about more than just preventing attacks; it’s about ensuring that financial services can continue to operate effectively, even in the face of disruption. DORA’s comprehensive approach to risk management, testing, and third-party oversight reflects a deep understanding of the multi-faceted nature of modern cybersecurity.

Looking ahead, we anticipate that DORA will drive innovation in cybersecurity practices and technologies. As financial institutions work to comply with DORA’s requirements, we are likely to see an increase in the adoption of advanced cybersecurity and cyber resilience practices, processes, and solutions.

Practical Steps Toward Compliance

Achieving compliance with DORA requires a structured and cross-functional approach. Below is a practical, step-by-step roadmap to help organizations align with DORA’s requirements, focusing on ICT risk managementincident responsethird-party oversight, and resilience testing.

Map DORA requirements

Prioritise risks

Assign accountability

Develop an ICT risk management framework

Implement incident mangement reporting processes

Build playbooks

Conduct regular testing

Remediate vulnerabilities

Audit third-party providers

Due dilligence and monitoring

Join threat intelligence networks

Maintain compliance records

Conduct internal audits

Update risk assessments

Stay informed

Veeam as Part of the Solution

As the most trusted provider of backup, recovery, and data management solutions, Veeam is well positioned to help meet the rigorous regulatory mandates prescribed under DORA. Veeam, together with its partners and system integrators, helps deliver market-leading and integrated backup, recovery, and data management solutions as part of an overall transformation and compliance strategy.

Together, we can craft the right solution that ensures that unique data protection and regulatory needs are met. Our joint offerings ensure that digital transformation and compliance initiatives are facilitated, disaster recovery (DR) plans and orchestration directives are accomplished, and business continuity plans are delivered.

Together, we protect against cybercrime and drive business continuity while ensuring that data is always protected and available, no matter where it is located. Our solutions offer workload management through a single platform that works for cloud, virtual, physical, SaaS, and Kubernetes environments too.

Some of the benefits include (but are not limited to):

Veeam Recovery Orchestrator creates an orchestrated DR architecture to ensure business continuity and resilience to support the availability of ICT systems.

Network transport encryption also ensures end-to-end security in the means of data movement, both at rest and in transit.

Veeam’s SureBackup and Disaster Recovery Orchestrator both test and validate that your data is recoverable, which effectively minimizes the risk of corrupt data. Veeam’s Hardened Repository also guarantees that your data is always available via immutability.

Veeam’s AI/ML-powered malware detection adds an extra layer of protection to backup data by identifying and isolating infected files before they can be restored, thus preventing the spread of malware and ensuring the integrity of your backup data.

Veeam ONE provides powerful monitoring, analytics, and alerting to detect ransomware or anomalous activities in both the production environment and backup and recovery process.

Built-in alerts can notify you of any anomalous activities and drastic performance changes in your environment, since they may be an indicator of a threat.

Incident response protocols can be configured to trigger an automatic remediation process to isolate the threat of ransomware activity.

Our AI/ML-powered malware detection bolsters an organization’s ability to detect sophisticated and evolving threats that may evade traditional signature-based detection methods. By leveraging machine learning algorithms, Veeam can identify patterns and anomalies that are indicative of malware, even in previously unknown or zero-day threats. This improves overall detection capabilities and helps organizations meet DORA’s requirements.

Furthermore, our AI/ML-powered malware detection enhances an organization’s risk management processes by proactively identifying and flagging potential malware in backup data. This allows organizations to take swift action to isolate and remediate threats and minimize the risk of data breaches or operational disruptions.

Backup policies and procedures: Specify the scope of the data subject to the backup and minimum frequency of the backup, based on the criticality of information or the confidentiality level of the data.

Veeam Platform backup is policy-based and defines the timing, scope, and target of backups. It covers backup frequency and recovery methods and meets organizational SLA requirements too.

Veeam’s feature set includes backup verification to ensure the success of your backups.Veeam’s enabling technology protects against cybercrime and drives business resiliency across any platform, whether that be on-premises, cloud, hybrid, and multi-cloud.

Recovery methods: In determining the recovery time objectives (RTOs) and recovery point objectives (RPOs) for each function, consider whether it is a critical or important function, and the potential overall impact it has on market efficiency. These objectives ensure that, even in extreme scenarios, the agreed service levels are met.

Veeam’s platform minimizes data and transaction loss. Veeam has multiple ways to recover either automatically or manually depending on your specific business need.

Veeam offers data security options that include: Backup, replication, storage snapshots, and CDP which provides minimum RTOs and RPOs based on your need.

Veeam offers backup and protection of Entra ID and Microsoft 365 data which includes Exchange Online (mailbox and archive), OneDrive for Business, SharePoint Online, and Teams, as well as on-premises installations of Microsoft Exchange Server and Microsoft SharePoint Server.

Veeam Backup for Microsoft 365 protects Microsoft 365 backups from threats and offers granular restores to any location, whether on-premises or on a cloud platform.

Please contact us for more detail on functionalities and capabilities.

Summary

DORA is more than just a regulatory requirement; it is a blueprint for a more secure, resilient financial sector. As we navigate the complexities of the digital age, the principles underpinning DORA will undoubtedly play a crucial role in shaping the future of cybersecurity and resilience. For financial institutions, the path to compliance is also a path toward greater operational resilience that can offer a competitive advantage in an increasingly uncertain world.

By embracing the challenges and opportunities presented by DORA, we can ensure that our financial systems are not only protected against current threats but are also prepared to face the challenges of tomorrow.

Exit mobile version