By Chris Rogers, Senior Technology Evangelist at Zerto, a Hewlett Packard Enterprise Company
The EU’s Digital Operational Resilience Act (DORA) is making waves across the financial sector. Created to “strengthen financial entities’ ability to effectively monitor all ICT risk emerging at the level of third-party service providers”, UK organisations will need to comply by January 17th, 2025, if they provide IT services to EU businesses. The UK government has also hinted that there will soon be a UK equivalent of DORA, a move that could introduce additional regulatory requirements for technology providers in the financial services sector.
On a practical level, it will bring together operational resilience rules across 20 different types of financial entities and ICT third-party service providers, including everything from credit and payment institutions and investment firms to crowdfunding services. It also places significant emphasis on improving IT resilience in areas such as risk and incident management, digital operational resilience testing, third-party management and information sharing. As a result, financial institutions may need to improve their resilience on more than one level at a time.
Arguably more important, however, is the impact DORA will have on disaster recovery (DR), with the legislation focusing specifically on protection and prevention, response and recovery and backup policies and procedures. Organisations whose current technologies are not able to meet the new requirements set out in DORA may need to implement more suitable DR solutions. Across all of these areas, any lack of compliance could result in penalties of up to 2% of total worldwide annual revenue, depending on the severity presented by each case.
Bridging the DR gap
To bridge the gap between existing DR capabilities in general and the capabilities determined by DORA in particular, many organisations are looking to use continuous data protection (CDP) to provide the resilience, continuity, and availability they need. As the name suggests, CDP works by continuously capturing and tracking data changes, automatically saving every version of the data that the user creates locally or at a target repository.
Administrators can use these capabilities to restore data to any point in time, such as in the event of a cybersecurity breach or technology failure. In doing so, CDP minimises the risks of data loss and reduces the need for technology downtime and all the associated difficulties that this brings for modern digital businesses.
In addition, Article 11 of DORA requires financial organisations to implement and maintain appropriate continuity plans and test them regularly. The challenge here is that not all disaster recovery solutions offer sufficient failover testing or analytics, preventing organisations from demonstrating the security of their environment during audits and inspections. Instead, financial entities should ensure that their disaster recovery capabilities can offer fully automated, non-disruptive and granular failover testing in a sandbox environment so business continuity capabilities can be tested as required and without disrupting production environments.
Also relevant is Article 12 of DORA, which requires organisations to operate a secondary site “equipped with adequate resources, capabilities, functions, and staffing capacity to meet business needs.” From a technology perspective, this can be delivered via one-to-many replication, which copies data from a single source to multiple target environments. Data can then be replicated locally or between sites that are further apart, giving organisations the option to add further layers of protection to their systems.
DORA also requires that financial organisations “must have mechanisms in place to detect anomalous activity […] promptly, including automated alert mechanisms for staff responsible for responding to ICT-related incidents.” In this context, capabilities such as real-time encryption detection offer the ability to receive alerts about anomalous activity, such as the start of a ransomware attack, before an entire environment can be encrypted. When this is used alongside CDP, IT teams can minimise both data loss and periods of downtime.
As the date for UK financial entities to comply with DORA approaches, the spotlight will turn increasingly towards organisational resilience capabilities and shortcomings. Those who implement the right processes and technologies will be better positioned to navigate the regulatory landscape efficiently and maintain high standards of operational and digital resilience.
