How to Comply with the EU’s Digital Operational Resilience Act (DORA)

The 2008 financial crisis pushed many firms in the EU to strengthen their financial resilience. However, as more and more businesses have been embracing digitalization and found themselves relying more on third-party technology providers, cyber threats have also increased and become a growing concern to regulators.

So much so that in September 2020 the European Commission announced the Digital Operational Resilience Act (DORA), an initiative that falls into the Digital Finance Strategy with the specific focus of addressing how financial firms should manage digital risk and ensure they have processes in place to raise supply chain resilience.

DORA’s four key elements are:  

1. ICT risk management
2. ICT-related incidents management, classification, and reporting 
3. Digital operational resilience testing
4. Management of ICT third-party risk

Financial entities impacted by this new regulation are wide-ranging – from credit institutions to payment institutions, crypto-asset providers, alternative investment funds, crowdfunding service providers, and, of course, technology third-party service providers.

Why should non-EU banks care about DORA? 

Frequent disruptive changes are the new normal. This means that every business needs a platform for resilience right now.

Although there is currently no similar regulation being developed in APAC or in North America, resilience is a relevant theme for financial services (and other industries) globally. Financial stability should be a driver for every firm.

• Cross-border operations: Non-EU banks with EU operations must comply with DORA to avoid penalties and operational disruptions.
• Third-party relationships: Compliance is crucial for non-EU banks providing or relying on ICT services to/from EU financial institutions.
• Global regulatory trend: Proactive DORA compliance prepares banks for similar future regulations worldwide.
• Client and regulatory expectations: Meets high standards of operational resilience, satisfying client demands and fostering trust with EU regulators.

What can the financial services industry do?

According to Bain and Company, financial institutions have three options to comply with DORA requirements:

1. Do nothing and wait for the new guidelines to come into effect. The idea here being that this can help minimize the current spending and limit distractions but also with the possibility of incurring higher operational risk and greater exposure to regulatory fines later.
2. Implement some limited tactical changes where gaps are known. Thus, helping to get ahead in some areas and already improving operational resilience.
3. See these implementations and regulatory requirements as an opportunity to address deeper strategic improvements. In turn, building a stronger, more efficient, and resilient organization.

How can Orbus help? 

If we’ve learned anything over the past few years of global economic unease, it’s that businesses need to be agile and resilient in order to survive volatile markets.

When it comes to compliance with new regulations, firms should see this as an opportunity to check their business meets all the criteria. After all, the requirements of having a resilient cyber security risk program in place should be a given.

OrbusInfinity provides a ‘digital blueprint’ of an organization, integrating data from an array of different silos to create a single, centralized view of the strategic direction and the underlying business processes, applications, systems, and data. With these insights available, it enables  financial services institutions to comply with DORA’s new requirements:

Comprehensive organizational resilience: OrbusInfinity provides comprehensive capabilities for modeling, analyzing, and managing all aspects of an organization's resilience posture.

• OrbusInfinity maintains a centralized repository of all business capabilities, processes, applications, data, and technology assets, enabling a holistic view of the organization's resilience posture.
• Mapping the dependencies between business processes, applications, and underlying infrastructures supports the impact analysis and the visualization of end-to-end value streams that help identify single points of failures or bottlenecks that could impact resilience.
• Modeling of recovering strategies for critical processes and systems support business continuity planning.

Third-party dependency management: OrbusInfinity ensures accurate, secure, and accessible data to manage dependencies on and security of third-party vendors, supply chains, and external technology, crucial for compliance with DORA.

• OrbusInfinity maintains a comprehensive inventory of all third-party vendors, services, and technology dependencies, including the relationships between internal processes, applications, and external dependencies to help identify potential risks and vulnerabilities.
• OrbusInfinity supports vendor risk assessments to ensure compliance with DORA's requirements for managing third-party risks.
• OrbusInfinity analytics and dashboards facilitate the reporting of third-party performance, security, and compliance metrics.

Eliminating bureaucratic hurdles: By providing a single view of multiple data sources, OrbusInfinity helps de-bias decision-making and reduces the impact of corporate bureaucracy on resilience efforts.

• OrbusInfinity acts as a single, centralized source of truth for all enterprise data, reducing siloed decision-making and promoting collaboration across different business units and departments, and that can automate the collection and integration of data from various sources, reducing manual effort and increasing data accuracy and consistency.
• Its role-based access and content presentation capabilities ensure that stakeholders have access to the information they need, when they need it.
• Surfacing insights about risk impacts and resilience planning enables data-driven decision-making and reduces bureaucratic bottlenecks.

Current state awareness and progress: OrbusInfinity supports "as-is" and "to-be" modeling, along with scenario planning, to help organizations understand their current security and resilience state and plan future improvements effectively.

• OrbusInfinity maintains up-to-date models of the organization's current ("as-is") state, including business processes, applications, data, and technology assets, overlaying identified resilience gaps and risks.
• The modeling of improvement plans and "what-if" scenarios helps evaluate the potential impact of changes or disruptions on the organization's resilience posture.
• Dashboards enable stakeholders to monitor and track the organization's towards achieving its resilience goals.
  

By leveraging OrbusInfinity, organizations can gain a comprehensive view of their operations, dependencies, and resilience posture, enabling them to effectively manage risks, comply with DORA's requirements, and maintain business continuity in the face of disruptions or cyber threats.

Regulations and audits are only going to increase. The level of diligence firms must show for cyber and privacy concerns will extend to climate risk and sustainability. With OrbusInfinity, you can prepare your business for whatever the future brings.

Contact us to see how OrbusInfinity can help you build a more resilient firm.