The Digital Operational Resilience Act offers a unified approach to digital risk management in the EU, writes Guy Warren
Wide-reaching system outages, rising cyber threats, and the disruption brought by the pandemic have put operational resilience in the digital space on the priority list for financial services regulators.
To keep pace, the European Commission published its Digital Operational Resilience Act (DORA) on 24 September 2020. This legislative proposal merges several existing EU initiatives into one regulation. It aims to build on current risk management requirements for information and communications technologies (ICTs) developed by other EU institutions.
DORA is expected to come into force sometime in 2022 and will provide clarity for EU financial regulators and supervisors tasked with ensuring that firms remain financially and operationally resilient through disruption.
Implications for EU-based firms
For firms operating in the EU, there are several implications to consider and prepare for before DORA comes into force. The Act will establish EU-wide standards for testing digital operational resilience, which currently sits strictly with each EU state nationally.
Third-party ICT providers, including cloud service providers, will be regulated by one of the European Supervisory Authorities (ESAs). These authorities will be able to request information, issue recommendations and requests, conduct inspections and impose penalties, such as fines, for non-compliance.
To prepare for DORA’s requirements, financial services firms will need to:
- identify any compliance gaps in their ICT systems;
- determine which of their third-party providers will be considered critical vendors and map their level of risk;
- implement a testing framework for digital resilience; and
- determine whether their current recovery strategies align with the standards set by the new regulations, putting plans in place to improve them where needed.
Building a resilient digital infrastructure
With the advent of legislation such as DORA, the pressure to build operationally resilient businesses and IT estates that can support them has become undeniable.
The complex nature of today’s IT infrastructures, which combine legacy technology with cloud-based and dynamic environments, pose additional challenges for financial services firms. They must put processes in place to ensure operational resilience and prove to the regulators that they are doing so.
The pressure to maintain the running of business-critical services, meet service levels and ensure short resolution times has never been higher for IT departments and senior leadership. And yet, the complex and often siloed nature of today’s hybrid IT estates has made it harder to rise to the challenge.
Therefore, a unified IT monitoring approach is necessary. The optimal outcome for today’s financial firms is an integrated and customisable monitoring solution that satisfies both the demanding business needs of financial firms and their regulatory requirements.
It is essential to map processes end-to-end within the IT estate and have real-time monitoring in place for business-critical processes.
Having a complete view of the entire IT infrastructure will allow IT managers, business owners, and business service owners, to identify and track and trace any problems that occur, allowing them to locate the original problem and find a swift resolution with minimal impact on their business-critical functions and systems.
By mapping out the exact path of an issue, companies are better equipped to deal with current challenges, and plans can be made for the future to minimise the impact. A monitoring solution that provides accurate and timely reporting is also crucial in this context. It will let IT teams answer to internal stakeholders while allowing the business to prove to regulatory bodies that they are compliant with regulations.
In this time of digital disruption where operational resilience has taken centre stage, financial services firms that do not have a complete overview of their IT estate, will not only see their customers walk away, but may also face the substantial financial and reputational damage that can come with non-compliance.
Guy Warren is CEO of ITRS