Enhancing Business Continuity with the Digital Operational Resilience Act

In the digital age, cybersecurity is not just about protecting data; it is about ensuring the very fabric of our financial systems remains intact and resilient against threats. The introduction of the Digital Operational Resilience Act (DORA) by the European Union marks a significant milestone in the journey toward a safer, more stable financial ecosystem. As cybersecurity veterans, we have witnessed firsthand the evolution of digital threats and the increasing sophistication of cyber adversaries. It is against this backdrop that we delve into the importance of DORA and its potential to redefine the landscape of financial services cybersecurity.

Understanding the DORA Act and How it’s Enforced.

DORA was formally ratified in November 2022 by the European Parliament and Council of the European Union, which are the legislative entities in charge of passing laws inside the EU. Before enforcement begins, financial firms and outside ICT service providers have until Jan. 17, 2025, to comply with DORA.

The Digital Operational Resilience Act emerges in response to the growing dependency of financial entities on information and communication technologies (ICT). DORA aims to standardize the digital operational resilience framework across all EU member states, ensuring that financial institutions can withstand, respond to, and recover from ICT-related disruptions and threats.

At its core, DORA focuses on several key areas:

Even though DORA has been formally endorsed by the EU, the European Supervisory Authorities (ESAs) are still working out several important issues. The European Banking Authority (EBA), the European Securities and Markets Authority, and the European Insurance and Occupational Pensions Authority are among the ESAs, which are the regulatory bodies in charge of the EU financial sector.

The regulatory technical standards (RTS) and implementation technical standards (ITS) that covered entities are required to implement are drafted by the ESAs. It is anticipated that these standards will be completed in 2024. It is anticipated that the European Commission will complete the development of an oversight framework for essential ICT providers by 2024.

The enforcement of the standards will be left to the “competent authorities,” or designated regulators in each EU member state, after they are finalized, and the deadline of January 2025 has passed. Financial entities may be asked to take security precautions and address vulnerabilities by the appropriate authorities. In addition, entities that disobey will be subject to administrative penalties, as well as criminal penalties in certain situations. The penalty will be decided by each member state separately.

ICT providers that the European Commission has classified as “critical” will be under the direct supervision of lead overseers from the ESAs. Lead overseers have the same authority as competent authorities to demand security measures, corrective actions, and penalties from noncompliant ICT providers. Lead overseers are authorized under DORA to impose fines on ICT providers equal to one percent of the provider’s average daily global turnover from the preceding fiscal year. Up to six months of daily fines may be imposed on providers until they comply.

Who Needs to Comply with the DORA Act?

The Digital Operational Resilience Act (DORA) is designed primarily for entities within the financial sector of the European Union. It aims to ensure that all participants in the financial system have the necessary safeguards and mechanisms to manage cyberthreats effectively. Here is a breakdown of entities that need to comply with DORA:

DORA sets a comprehensive framework for operational and digital resilience across the financial sector, reflecting the EU’s commitment to safeguarding the financial system against ICT and cyberthreats. Compliance with DORA not only enhances the resilience of individual entities but also contributes to the stability and integrity of the financial market.

DORA Act’s Implications for Financial Entities

For financial institutions across the EU, DORA is not just another regulation — it is a transformational shift towards a more unified and robust approach to cybersecurity. By harmonizing requirements, DORA aims to level the playing field, ensuring that all entities, regardless of size or complexity, adhere to high standards of digital resilience.

The implementation of DORA will undoubtedly present challenges, particularly for smaller institutions that may lack the resources of their larger counterparts. However, it also offers an opportunity to strengthen defenses, improve incident response mechanisms, and foster a culture of continuous improvement and resilience.

The Cybersecurity Veteran’s Perspective

Drawing on years of experience in the trenches of cybersecurity, we view DORA as a critical step forward, and a very necessary one. Operational resilience is about more than just preventing attacks; it is about ensuring that financial services can continue to operate effectively, even in the face of disruption. DORA’s comprehensive approach to risk management, testing, and third-party oversight reflects a deep understanding of the multifaceted nature of modern cybersecurity.

Looking ahead, we anticipate that DORA will drive innovation in cybersecurity practices and technologies. As financial institutions work to comply with DORA’s requirements, we are likely to see an increase in the adoption of advanced cybersecurity and cyber resilience practices, processes, and solutions.

Practical Steps Towards Compliance

For financial institutions beginning their journey towards DORA compliance, here are some actionable steps to consider:

Veeam as Part of the Solution

As the most trusted provider of backup, recovery, and data management solutions, Veeam is well positioned to help meet the rigorous regulatory mandates prescribed under DORA. Veeam, together with its partners and system integrators, helps deliver market-leading and integrated backup, recovery, and data management solutions as part of an overall transformation and compliance strategy.

Jointly, we craft the right solution that ensures customers unique data protection and regulatory needs are met. Our joint offerings ensure digital transformation and compliance initiatives are facilitated, disaster recovery (DR) plans and orchestration directives are accomplished, and business continuity plans are delivered.

Together, we protect against cybercrime and drive business continuity while ensuring that data is always protected and available, no matter where it is located, through the complete alignment of services offered by GSIs (Global System Integrators). Our joint solutions offer workload management through a single platform that works for cloud, virtual, physical, SaaS, and Kubernetes environments.

Some of the benefits include: (but not limited to)

Veeam Recovery Orchestrator creates an orchestrated DR architecture to ensure business continuity and resilience to support the availability of ICT systems.

Network transport encryption ensures end-to-end security in the means of data movement, both at rest and in transit.

Veeam’s SureBackup and Disaster Recovery Orchestrator both test and validate that data is recoverable, effectively minimizing the risk of corrupt data. Hardened Repository guarantees the data is always available via immutability.

Veeam’s AI/ML-powered malware detection adds an extra layer of protection to backup data by identifying and isolating infected files before they can be restored, preventing the spread of malware, and ensuring the integrity of the backup data.

Veeam ONE provides powerful monitoring, analytics, and alerting to detect ransomware or anomalous activities in both the productions environment and backup and recovery process.

Built-in alerts notify of any anomalous activities and drastic performance changes which may be an indicator of a threat.

Incident response protocols can be configured to trigger an automatic remediation process to isolate the threat of ransomware activity.

Our AI/ML-powered malware detection bolsters an organization’s ability to detect sophisticated and evolving threats that may evade traditional signature-based detection methods. By leveraging machine learning algorithms, Veeam can identify patterns and anomalies indicative of malware, even in previously unknown or zero-day threats, thereby improving the overall detection capabilities and helping organizations meet DORA’s requirements.

Furthermore, our AI/ML-powered malware detection enhances an organization’s risk management processes by proactively identifying and flagging potential malware in backup data. This allows organizations to take swift action to isolate and remediate threats, minimizing the risk of data breaches or operational disruptions.

Backup policies and procedures – specify the scope of the data subject to the backup and the minimum frequency of the backup, based on the criticality of information or the confidentiality level of the data.

Veeam Platform backup is policy-based and defines the timing, scope, and target of backups. It covers backup frequency and recovery methods and meets organizational SLA requirements.

Veeam’s feature set includes backup verification to ensure the success of the backup

Veeam’s enabling technology protects against cybercrime and drives business resiliency across any platform; on-premises, cloud, hybrid, and multi-cloud.

Recovery methods – in determining the recovery time objectives (RTO) and recovery point objectives (RPO) for each function, consider whether it is a critical or important function, and the potential overall impact on the market efficiency. Such time objectives shall ensure that, in extreme scenarios, the agreed service levels are met.

Veeam’s platform minimizes data and transaction loss. Veeam has multiple ways to recover either automatically or manually depending on the specific business need.

Veeam offers data security options that include: backup, replication, storage snapshots and continuous data protection (CDP) which provides minimum recovery time objectives and point objectives based on your need.

Veeam offers backup and protection of Active Directory, Microsoft 365 data which includes Exchange Online (mailbox and archive), OneDrive for Business, SharePoint Online and Teams, as well as on-premises installations of Microsoft Exchange Server and Microsoft SharePoint Server.

Veeam VB365 solution protects Microsoft 365 backups from threats and offers granular restores of data to any location, on on-premises or cloud platform.

Please contact us for more detail on functionalities and capabilities.

Summary

The Digital Operational Resilience Act is more than just a regulatory requirement; it is a blueprint for a more secure, resilient financial sector. As we navigate the complexities of the digital age, the principles underpinning DORA will undoubtedly play a crucial role in shaping the future of cybersecurity. For financial institutions, the path to compliance is also a path toward greater operational resilience, offering a competitive advantage in an increasingly uncertain world.

By embracing the challenges and opportunities presented by DORA, we can ensure that our financial systems are not only protected against current threats but are also prepared to face the challenges of tomorrow.

Visit the
ProPartner Portal
Interested in this topic?
Learn more with tools and resources.
Exit mobile version