Digital resilience in the financial sector: Understanding and implementing DORA
THE financial services industry is undergoing a significant transformation in its approach to digital operational resilience.
Two important frameworks have emerged, both coincidentally sharing the acronym DORA but with distinct focuses and implications. This article will explore the Digital Operational Resilience Act (DORA) enacted by the European Union, as well as the DevOps Research and Assessment (DORA) framework.
By understanding both of these DORAs, financial institutions and technology teams can play a crucial role in enhancing their operational resilience, improving software delivery performance, and creating more secure and efficient digital ecosystems, feeling empowered and responsible.
Part I: The Digital Operational Resilience Act (DORA)
Background and purpose
The Digital Operational Resilience Act (DORA) is a new regulation from the European Union aimed at enhancing the financial sector's digital operational resilience. It was introduced as part of a comprehensive Digital Finance Package, recognising the growing dependence on technology in financial services and the potential systemic risks of ICT-related disruptions.
DORA emerged in the aftermath of the 2008 financial crisis, which highlighted the interconnectedness of the global financial system. The European Commission realised that a cyberattack or significant ICT failure at a single entity could have cascading effects throughout the sector.
By implementing DORA, the EU aims to harmonise operational resilience standards across member states, fostering a more robust and unified financial environment. This implementation not only ensures a more secure financial sector but also opens up opportunities for innovation and growth, leaving the audience feeling optimistic and motivated.
Key Components of DORA
1. ICT Risk management
At the core of DORA is the requirement for financial entities to implement a comprehensive ICT risk management framework. This framework should encompass:
- Identification of ICT-related risks
- Protection and prevention measures
- Detection of anomalous activities
- Response and recovery strategies
- Learning and evolving mechanisms
Financial institutions must develop ICT strategies, policies, procedures, and tools to minimise the impact of ICT risks. Upon request, they must provide competent authorities with complete and updated information on their ICT risk management framework.
2. Incident management and reporting
DORA mandates a standardised approach to incident management to ensure timely detection, response, and recovery from ICT disruptions. Key requirements include:
- Establishing processes to detect, manage, and notify ICT-related incidents
- Classifying incidents based on criteria specified in the regulation
- Reporting major incidents to relevant authorities within strict timeframes (initial notification within 4 hours, intermediate report, and final report)
- Conducting root cause analysis following major incidents
3. Digital operational resilience testing
Regular testing is crucial to identify vulnerabilities and ensure operational continuity. DORA requires financial entities to conduct the following:
- Basic testing of ICT tools and systems
- Vulnerability assessments and scans
- Network security assessments
- Gap analyses against recognised cyber resilience standards
- Scenario-based testing
- Advanced testing using threat-led penetration testing (for significant entities)
4. Third-party risk management
Recognising the critical role of third-party service providers in the financial ecosystem, DORA places significant emphasis on managing these relationships:
- Financial entities must maintain a register of information for all contractual arrangements with ICT third-party service providers
- Contracts with ICT third-party providers must include specific clauses related to security, incident handling, and exit strategies
- Enhanced oversight and risk mitigation strategies for 'critical' ICT third-party service providers
- Obligation to inform competent authorities about planned contractual arrangements for critical or essential functions
5. Information sharing
DORA encourages the exchange of cyber threat information and intelligence among financial entities to foster collective awareness and strengthen the sector's overall defensive posture.
Scope and timeline
DORA applies to a wide range of financial entities, including:
- Credit institutions (banks)
- Payment institutions
- Electronic money institutions
- Investment firms
- Crypto-asset service providers
- Central securities depositories
- Central counterparties
- Trading venues
- Trade repositories
- Alternative investment fund managers
- Management companies
- Data reporting service providers
- Insurance and reinsurance undertakings
- Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries
- Institutions for occupational retirement provision
- Credit rating agencies
- Statutory auditors and audit firms
- Administrators of critical benchmarks
- Crowdfunding service providers
- Securitisation repositories
Additionally, DORA introduces an oversight framework for critical ICT third-party service providers to the financial sector.
Critical dates for DORA implementation:
- January 17, 2023: DORA entered into force
- January 17, 2025: DORA application date (full compliance required)
Between now and the application date, financial entities should conduct gap analyses, develop implementation strategies, and make necessary changes to their ICT risk management practices.
Compliance challenges and strategies
Implementing DORA presents several challenges for financial institutions:
1. Comprehensive risk assessment: Entities must thoroughly evaluate their current ICT risk management practices against DORA's requirements.
2. Policy and procedure development: New or updated policies and procedures must be created that are aligned with DORA's mandates and cover risk management frameworks, incident response protocols, and testing methodologies.
3. Third-party management: It is crucial to strengthen oversight of ICT service providers and ensure their compliance with DORA standards.
4. Resource allocation: Significant personnel, technology, and training investments may be necessary to implement and maintain DORA compliance.
5. Cultural change: It is essential to raise employees' awareness of DORA and foster a culture of digital resilience.
To address these challenges, financial entities should consider the following strategies:
1. Conduct a thorough gap analysis to identify areas needing improvement.
2. Develop a clear roadmap for DORA implementation with defined milestones and responsible parties.
3. Engage with third-party providers early to ensure alignment with DORA requirements.
4. Invest in automation and RegTech solutions to streamline compliance processes.
5. Collaborate with industry peers and regulators to share best practices and interpretations of DORA requirements.
6. Implement regular training programs to update staff on DORA obligations and digital resilience best practices.
Part II: DevOps research and assessment (DORA)
While distinct from the EU regulation, the DevOps Research and Assessment (DORA) framework offers valuable insights for financial institutions seeking to improve their software delivery and operational performance.
Background and purpose
DORA (DevOps Research and Assessment) is a research program initiated by Google Cloud that seeks to understand the capabilities driving software delivery and operational performance.
Since 2014, DORA has been collecting data and publishing annual reports on DevOps, providing organisations with benchmarks and insights to improve their software development and delivery processes.
The four key metrics
At the heart of DORA's research are four key metrics that measure software delivery performance:
1. Deployment Frequency: How often an organisation successfully releases code to production.
2. Lead Time for Changes: The time it takes for a code change to go from commit to production.
3. Change Failure Rate: The percentage of deployments causing a failure in production.
4. Time to Restore Service: How long it takes to recover from a failure in production.
These metrics provide a balanced view of both the speed and stability of software delivery processes.
The DORA core model
Beyond the four key metrics, DORA has developed a comprehensive model known as the DORA Core Model.
This model illustrates the relationships between various technical and cultural capabilities, software delivery performance, and organisational outcomes.
Key components of the DORA Core Model include:
1. Technical Capabilities:
- Continuous delivery
- Architecture
- Cloud infrastructure
- Testability
- Deployment automation
- Trunk-based development
- Shift-left on security
- Database change management
- Monitoring and observability
- Continuous testing
- Version control
2. Cultural Capabilities:
- Generative organisational culture
- Learning culture
- Job satisfaction
3. Outcomes:
- Software delivery performance (measured by the four key metrics)
- Organisational performance (e.g., profitability, productivity, customer satisfaction)
- Individual well-being (less burnout, greater job satisfaction)
The DORA Core Model demonstrates how improvements in technical and cultural capabilities can lead to better software delivery performance, which in turn drives positive organisational outcomes and employee well-being.
Applying DORA in financial services
While DORA (DevOps Research and Assessment) was not explicitly designed for the financial sector, its principles and metrics can be highly valuable for financial institutions seeking to improve their software delivery processes and overall digital resilience. Here are some ways financial organisations can leverage DORA insights:
1. Benchmark performance: Use the four key metrics to assess current software delivery performance and set improvement goals.
2. Identify improvement areas: The DORA Core Model can help organisations pinpoint specific technical or cultural capabilities that need enhancement.
3. Enhance security practices: DORA's emphasis on "shift-left" security aligns well with the cybersecurity requirements of the Digital Operational Resilience Act.
4. Foster a learning culture: DORA's focus on continuous improvement and learning can help financial institutions adapt more quickly to changing technological and regulatory landscapes.
5. Improve incident response: By focusing on metrics like "Time to Restore Service," organisations can enhance their ability to respond to and recover from ICT-related incidents, a vital requirement of the EU's DORA regulation.
Conclusion
As the financial services industry digitises, operational resilience becomes increasingly critical. The EU's Digital Operational Resilience Act (DORA) provides a regulatory framework to ensure that financial institutions and their technology providers implement robust ICT risk management practices. Simultaneously, the DevOps Research and Assessment (DORA) framework offers valuable insights into improving software delivery performance and organisational outcomes.
By embracing both DORAs, financial institutions can create a comprehensive approach to digital resilience. The EU's DORA ensures compliance with regulatory standards and establishes a baseline for ICT risk management. Meanwhile, the DevOps DORA framework provides tools and metrics to continuously improve software delivery processes, enhancing an organisation's ability to meet the technical challenges posed by regulatory requirements.
As the January 2025 deadline for EU DORA compliance approaches, financial institutions should view this not merely as a regulatory hurdle but as an opportunity to fundamentally strengthen their digital operations. By combining regulatory compliance with the best DevOps and software delivery practices, organisations can build a more resilient, efficient, and secure financial ecosystem that benefits all stakeholders.
The journey towards digital operational resilience is complex and ongoing. However, with the right strategies, investments, and cultural shifts, financial institutions can successfully navigate this landscape and ensure they are well-prepared for future digital challenges and opportunities.
Disclaimer: The content provided on this article is for general informational and educational purposes only. It is not intended to serve as legal, financial, medical, or professional advice of any kind. By accessing and using this article, you acknowledge and agree that no professional relationship or duty of care is established between you and the blog authors, owners, or operators. The information presented may not be current, complete, or applicable to your specific circumstances. It should not be relied upon as a substitute for seeking advice from qualified professionals in relevant fields. Any actions you take based on the information provided on this article are at your own risk. The authors, owners, and operators are not liable for any losses, damages, or negative consequences resulting from your use of or reliance on the content. The views and opinions expressed on this article are those of the authors and do not necessarily reflect the official policy or position of any other agency, organisation, employer, or company. This article may contain links to external websites. We are not responsible for these external sites' content, accuracy, or reliability. The information on this blog is subject to change without notice. We make no representations or warranties about any content's accuracy, completeness, or reliability. Any product recommendations or reviews in this article are based on personal opinion and experience. Unless explicitly stated, they do not constitute endorsements, and we are not compensated for featuring specific products. Comments and user-generated content do not reflect the views of the owners and are not endorsed by us. We strongly encourage you to consult with appropriate licensed professionals before making any decisions or taking any actions based on the information provided on this article. Your use of this blog indicates your acceptance of this disclaimer in its entirety.
