Rob Otto, EMEA Field CTO at Ping Identity
As we edge closer to the January 2025 deadline for the Digital Operational Resilience Act (DORA), the sense of urgency for organisations in the financial services sector to ready themselves is palpable. DORA marks a watershed in regulatory standards, stressing the essential need for these institutions to bolster their defences against digital disruption.
At its core, DORA is designed to ensure the financial sector’s digital infrastructure is robust enough to withstand and recover from technological disruptions. However, the journey to DORA compliance is shadowed by past incidents, like the massive cyberattacks on financial institutions, which have exposed millions of customer records, and system outages that left customers without access to banking services for days. Adding to the complexity, many firms struggle with legacy systems ill-suited to modern cybersecurity demands and a threat landscape that evolves more rapidly than they can adapt. This backdrop makes the path to readiness challenging yet non-negotiable, emphasising the urgent need for action.
There will be certain intricacies as organisations navigate DORA compliance. This act, with its profound repercussions for how we manage costs, spur innovation, and sustain profitability, is a wakeup call for finance firms. The prospect of large-scale cyberattacks warrants a big shift to how they proactively and reactively defend their business and their customers.
Understanding DORA
DORA sets forth stringent requirements for financial entities. All 22,000 of them, including banks, insurance companies, and investment firms, not to mention the growing third-party ecosystem, must all focus on risk management, reporting, and testing of ICT systems. The Act forms part of the EU’s wider Digital Finance Package that is designed to give consumers protection and financial stability.
For stakeholders, DORA introduces a dual challenge: adhering to rigorous standards while continuing to innovate and compete in a rapidly evolving digital landscape. This balancing act is crucial, as we’ll discuss later, non-compliance not only risks regulatory sanctions but can also undermine consumer trust and corporate integrity.
Considering these challenges, it’s essential for organisations to understand the specific demands of DORA, including the need for a comprehensive risk management framework, detailed incident reporting procedures, and regular IT system testing. Such measures are not just regulatory obligations, but are pivotal in fortifying operational resilience and safeguarding against potential financial and reputational losses.
The importance of compliance
DORA compliance is more than a checkbox for regulatory adherence. It’s a strategic pivot toward ensuring enduring trust and maintaining a pristine reputation in a time where digital setbacks are inevitable realities rather than just possibilities.
This strategic imperative is vital for financial organisations as the resilience of their ICT systems not only dictates their ability to navigate challenging regulatory environments, but also reinforces their market standing by evidencing a steadfast commitment to operational excellence and the safeguarding of customer trust.
Practical steps towards compliance
Achieving compliance with DORA requires a structured approach, beginning with a thorough assessment of the current state of an organisation’s digital operational resilience. This assessment should consider four key elements to identify gaps in compliance and areas for improvement in risk management frameworks, incident reporting mechanisms, and IT system testing.
1. Develop a compliance roadmap: Outline a detailed plan that addresses identified gaps, allocates resources, and sets clear timelines for compliance milestones.
2. Enhance risk management frameworks: Integrate DORA’s requirements into existing risk management processes, ensuring digital operational risks are adequately identified, assessed, and mitigated.
3. Establish robust incident reporting procedures: Implement mechanisms for the timely detection and reporting of IT-related incidents, in line with DORA’s requirements.
4. Conduct regular IT system testing: Schedule and execute regular testing of IT systems to evaluate resilience against disruptions. This testing should be both thorough and reflective of real-world scenarios.
Leveraging digital identity for DORA readiness
Digital identity plays a pivotal role in establishing strong cybersecurity and business recovery strategies. By securing digital identities and transactions, organisations can significantly mitigate the risk of disruptions caused by cyber threats—a key component of digital operational resilience. Identity and Access Management (IAM) is critical in bolstering cybersecurity and aiding compliance, managing secure access, and protecting data. Here’s how:
– Authentication and access management: Implementing strong authentication and access management controls ensures that only authorised users can access critical systems, reducing the risk of breaches and disruptions.
– Automated compliance reporting: Leveraging digital identity solutions can automate the generation of compliance reports, making it easier for organisations to meet DORA’s reporting requirements.
– Enhanced incident response: Digital identity platforms can facilitate rapid detection and response to security incidents, a crucial component of DORA’s incident management requirements.
Final remarks
2025 will mark a milestone for financial service providers on a long-term journey towards digital supremacy and robustness. It’s perhaps one they might not have realised was completely necessary before the Act was imposed, nonetheless, the directives laid down by DORA, while stringent, will help them to navigate the digital perils of today and arm themselves against tomorrow’s uncertainties.
Adopting the DORA mandates is more than a regulatory exercise; it’s an opportunity to fundamentally rethink our digital operational strategies. It challenges us to look beyond compliance as a mere requirement, viewing it instead as a lever for strategic advancement and innovation.
For those of us steering these financial institutions, it’s time to reflect and act. Consider how we can extend our ambitions beyond the baseline of DORA compliance to redefine our digital operational ethos. And how we can embrace DORA’s principles as a catalyst for continuous innovation and improvement within our realms.
