Four Things CEOs Need to Know About DORA

Financial services organisations have until January 2025 to be DORA compliant. But what exactly is DORA? Mark Coates lays out four things CEOs should understand about DORA

Earlier this year, DORA – the Digital Operational Resilience Act – came into force to bolster information security resilience for financial services across the EU. This regulation is an essential shift, especially for an industry that has seen a significant growth in the cloud and holds so much sensitive data.

What is DORA?

The main aim of DORA is to ensure that the financial services industry can withstand and respond to digital risks, such as cyber threats, data breaches, and system failures, consistently and effectively.

The proposed regulation covers various issues related to digital operational resilience, including cybersecurity, IT risk management, incident response, outsourcing, and third-party risk management. In addition, it outlines a set of requirements and expectations for financial institutions and other relevant entities, such as cloud service providers, payment service providers, and stock exchanges.

While the hybrid cloud (a computing environment that combines public and private cloud services) offers various benefits, from scalability to cost savings if optimised, many organisations aren’t sufficiently monitoring this complex environment. Security is, therefore, a big concern, with 42% of global IT and security leaders citing cloud applications as a common ransomware threat vector. This is often a result of cyber-criminals exploiting a weakness or vulnerability and hiding in cloud blind spots before deploying malware or exfiltrating data.

DORA will play a significant role in reducing this risk for financial institutions. Yet, compliance and risk management can be daunting for business leaders without extensive experience in cybersecurity and limited insight into their IT infrastructure. For those that aren’t sure where to start, we’ve outlined four things every CEO in financial services should know about this regulation.

1: Organisations have two years to comply

DORA signifies a huge change for the financial services industry that organisations need to start implementing now if they’re going to meet compliance by 2025. While it officially came into force in January this year, there’s now a two-year period for the financial services industry – including insurers, crypto-asset service providers and crowdfunding service providers – to make severe changes to security culture. Organisations must comply by January 17^th 2025, and key pillars include risk management, incident management and information sharing arrangements.

2: Security is no longer just security’s problem

One big shift that financial institutions need to acknowledge is that DORA mandates that the board is accountable for IT risk. These board members could face hefty fines or even prison time if they cannot comply. Ignorance is no excuse. DORA expects board members to be educated on the threats facing their business and to recognise how best to protect their hybrid cloud environment.

However, leaders do not need to react to this regulation and cloud security threats by applying rigour and lockdown to their environments. Instead, financial organisations must embrace freedom in the mobile workplace with a ‘single source of truth’ across all data in motion. They want to promote an open compute project approach, giving freedom to innovate while putting security posture and compliance front of mind. And if you’re currently scratching your head thinking, ‘What on earth is a single source of truth?’ it refers to structuring information to ensure there is only one authoritative source of a piece of data.

3: Cloud consolidation may not be simple

The unexpected spiralling cost of the cloud has recently become a stumbling block for organisations. As we’re in a challenging economic climate, many want to optimise and consolidate what is already in place to reduce complexity while saving costs. Yet consolidation of cloud vendors may not be simple for financial institutions. DORA focuses considerably on third-party risk and the concentration of risk in terms of relying on a single third-party supplier. In other words, it is essential to consider the risk of consolidation, and a multi-cloud strategy is likely to provide more digital resilience.

However, optimisation and reducing complexity remain critical for cutting cloud costs and compliance with DORA. This is only possible with insight into all traffic to identify precisely where bottlenecks and blind spots exist, otherwise known as deep observability.

4: Deep observability is critical for compliance

Across pillars, DORA specifies that organisations must continuously identify risks to set up protection and prevention measures, promptly detect anomalous activities and quickly identify and eliminate any weaknesses, deficiencies or gaps in digital operations. To achieve this, security teams need real-time, network-level intelligence to track activity across a network and eradicate blind spots powered by deep observability. This means going beyond current log and trace-based monitoring tools, optimising and amplifying the power of these solutions to detect suspicious activity and act accordingly rapidly.

This deep observability will reduce complexity and cost and enable the open compute project philosophy needed by business leaders to achieve greater understanding, as well as accountability, of cyber risk.

Both DORA compliance and the hybrid cloud present incredible business opportunities for enterprises if they get them right. Whilst this is no simple task, it is far more achievable if teams have total visibility across their digital infrastructure.