Today marks the enforcement of the Digital Operational Resilience Act (DORA), a regulation aimed at strengthening the financial sector’s defenses against cyber threats and operational risks. With its focus on ICT risk management, incident reporting, and operational resilience, DORA sets a new benchmark for compliance and preparedness across Europe’s financial institutions and beyond.
But what does this mean for banks, financial service providers, and their extended networks? How are entities preparing to meet these robust standards, and what challenges lie ahead?
Industry leaders share their insights, offering guidance on navigating this regulatory milestone while leveraging it as a catalyst for innovation and collaboration. Here’s what they had to say.
Keith Fenner, SVP and GM International at Diligent
“To navigate the requirements and expectations of DORA effectively, firms must take a proactive approach to compliance and prioritize operational resilience.”
With the deadline being this Friday, banks should establish robust risk management frameworks, appoint senior and third-party risk managers, and implement clear incident reporting processes. Since DORA requires firms to promptly report ICT-related incidents, organizations must also regularly test their ICT tools, systems, and processes to maintain digital resilience and remain compliant.
As businesses prepare for DORA, financial institutions should foster collaboration by sharing insights and best practices with other firms. Having open channels of communication will help organizations collectively enhance their resilience and response capabilities.
Mo Joueid, Identity Security Consultant at SailPoint
“Vast amounts of lucrative data make financial services a prime target for malicious cybercrime. With the new EU regulation DORA fast approaching, compliance will be critical for mitigating cyber threats, and this starts with having well-defined policies in place for managing ICT risk – particularly those related to unauthorized access.”
According to our research, nearly 80% of financial organizations are concerned about vulnerabilities resulting from overprovisioning third-party identities or non-employee access. Increased visibility into supply chains, particularly relationships with subcontractors and partners, amongst others, will be essential in preparation for DORA.
As DORA comes into effect, firms must evaluate the entitlements of each entity operating within their systems, ensuring access is granted on a need-to-know basis only. This includes processes that carefully manage the onboarding and offboarding of non-employees, as well as the lifecycle in between.
Chris Royles, EMEA CTO at Cloudera
“Regulations such as DORA are essential for financial institutions maintaining stability and mitigating operational risk.”
Hybrid cloud architectures have emerged as a crucial strategy for financial institutions to navigate DORA while maintaining innovation and operational efficiency. This model provides the most flexibility, scalability, and security of customer and business data, helping organizations adapt to regulatory changes while optimizing costs and ensuring business continuity. However, hybrid cloud architectures can add more stress to an already complex system.
To stay ahead and compliant when it comes to DORA, a unified hybrid data platform is essential. Having the capability to seamlessly move data and applications between the public cloud and on-premise is central to this approach. Data security and governance can also be built in, with data applications operating the same everywhere. This portability helps address DORA’s concerns around cloud vendor lock-in and cloud consolidation risks while also enhancing digital operational resilience for financial institutions.
Lauren Walters, Security Evangelist at Panaseer
“DORA will be a sea change for the financial services industry, with organizations needing to evidence greater monitoring, control, and understanding of their ICT environment and associated risks.”
However, research shows that 58% of financial services institutions have suffered a security breach in the past year because internal policies, governance and controls failed or were not working effectively. If these organisations are already struggling to monitor and secure their own assets, they’re unlikely to understand third party risk; guarantee operational resilience; and share critical intelligence.
With boards directly accountable for any failures to comply, CISOs can expect more questions from the board over compliance, posture, and risk. But 58% of FS security leaders agree that while they are constantly being asked to provide assurances, they lack the trusted data needed to provide them. This is a crucial gap to plug, not only to provide assurances but to ensure policies, governance and controls are working as they should.
These factors mean that CISOs can’t assume they know what assets they have in place. They need a reliable, centralized inventory that provides actionable insights – a golden source of truth data that includes all assets, controls, owners, criticality, and business context. This is crucial for identifying vulnerabilities, prioritizing fixes, and demonstrating a clear understanding of risk and resilience to both the board and regulators.
Mitun Zavery, VP of Solution Architecture at Sonatype
“If GDPR taught us anything, it was that last-minute compliance efforts lead to headaches and half-measures. As the Digital Operational Resilience Act (DORA) comes into force this week, we may see that same scramble to tick the compliance box as we did when GDPR came into force in 2018.”
Like many EU laws, UK companies may be pulled into scope as the Act extends beyond European financial institutions and deep into their software supply chains. This is a big problem for UK businesses whose European customers fall under the purview of the regulation. The stern financial penalties for non-compliance are enough motivation for EU financial institutions to tell partners, ‘If you aren’t compliant, we need someone who is.
Rather than a burden, UK organizations should see DORA as an opportunity to streamline systems and processes by leveraging automation, reinforcing their software supply chains, and adopting a proactive approach to risk mitigation and vulnerability management. If DORA becomes like GDPR, then prioritizing compliance now will open doors as forms of this standard are adopted in the UK.
Crystal Morin, Cybersecurity Strategist at Sysdig
“Financial businesses are prime targets for cyber attacks. The work they do and the data they handle is inherently sensitive and, as a result, many organizations in the financial sector already have strong security practices.”
DORA helps them enhance their resiliency by first exposing existing security gaps and weaknesses. It gives the financial industry an opportunity to reinforce already robust security programs and for public and private security organizations to provide support, collaboration, and education.
DORA requirements will improve resiliency across the financial sector and reduce the number, frequency, and severity of cybersecurity breaches over time. As with all regulatory changes, I expect that we will experience some growing pains where rethinking cyber defense strategy and budgets are concerned and that the regulators will be adjusted within the first few years, but I believe that the outcomes will be worth the investment.
Just as we’ve seen with other new regulations in the past, compliance is an ongoing project that can always be improved. Given the sheer amount of work it takes to update a large entity’s risk management framework, for example, it won’t be quite as simple as checking a few boxes. However, cloud service providers (CSPs) and managed security service providers (MSSPs) are often first to prioritize compliance for their customers, so I am confident that these providers are prepared enough for DORA implementation on 17 January.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.