DORA: A paradigm shift in cybersecurity and operational resilience


In the dynamic realm of governmental regulations, the Digital Operational Resilience Act (DORA) in the EU emerges as a game-changer. Slated for a detailed rollout by early 2024, the buzz surrounding DORA has resonated within the information and communication technology (ICT) and financial sectors for quite some time, and its distinction lies in its holistic and authoritative approach.

DORA is heralded as the high-water mark for cybersecurity regulations tailored for the financial arena. Its mission? To redefine cybersecurity and supply risk management at a global scale, encompassing banks, insurers, pension providers, and the broader spectrum of ICTs aligned with European operations.

Unlocking the breadth of DORA's policy significance

While DORA is a critical policy set by EU regulation, the significance of the legislation is multifaceted. DORA will thus continue to demand global attention as stakeholders across multiple lines of business within financial services will seek to get a handle on its requirements. 

Some of the key considerations include:

  • Beyond EU’s borders: One pervasive myth is that the ramifications stemming from DORA are confined to the boundaries of the European Union. That is not the case. Its requirements for network and information system security have a far-reaching scope. It extends its influence beyond EU financial institutions to include any vital third-party vendor offering ICT-related services. This includes, but isn't limited to, cloud platforms, data analytics, and SaaS offerings.
  • Novel regulatory approach: DORA stands out by integrating cybersecurity requirements for both financial institutions and their supply chains, including IT vendors. Its ambition is to holistically tackle the broader issue of operational risk. In the annals of regulatory structures, DORA is the pioneer that equates cybersecurity risk with financial risk, setting an unparalleled benchmark.
  • A contrasting design from US protocols: In stark contrast to many US regulations, which are often presented as voluntary industry standards or best practices, DORA takes a decidedly authoritative stance. Its mandates are compulsory, leaving little room for flexibility. The downstream effects of DORA will be numerous. Even those not directly transacting with financial entities could be impacted if they are part of the long supply chain, given that DORA mandates can be contractually imposed.

Why operational resilience for financial services?

At the heart of DORA is operational resilience. This entails an organization's ability to navigate disruptions, ensuring seamless operations while safeguarding its workforce and assets. The pandemic underscored the urgency of operational resilience. As a majority of consumers pivoted to digital platforms, many financial entities faced daunting operational hurdles, a challenge mirrored in government services. Such pervasive issues have spurred the advent of refreshed regulations worldwide. The UK, for instance, has introduced stringent operational resilience directives, compelling financial entities to ensure adherence by 2025. This initiative is setting a global trend, with multiple international regulators poised to adopt analogous measures.

DORA compliance will require holistic visibility and collaboration

Given the breadth and complexity of financial IT ecosystems, being able to truly deliver on the mandates of DORA requires holistic visibility and coordination between security, compliance, operations, and IT teams. Financial institutions need to understand the interconnectedness of their own environment and third parties. When an unusual event or anomaly is identified, what is the cause behind that issue? Is it a quick fix by IT operations, or a bad actor looking to steal credentials? 

Many CIOs in financial services are encouraging open platforms that multiple domains can adopt to drive insights, collaboration, and workflow automation. Increasingly, FSIs are adopting single platforms for observability and security to capture telemetry that can also be used to detect, investigate, and remediate threats, at scale. In collaboration, teams can work to identify where weaknesses occur and continuously monitor their ecosystems for adherence to security and compliance protocols, and the standards set by DORA. Revolutionary tools such as AI Assistants are being used in both the security and observability space to help teams respond to events faster and address productivity challenges.

As DORA goes into effect, one thing is certain: financial institutions are going to need to find better ways of collaborating — both internally, and across the financial ecosystem. The right tools will play a key role in this, as organizations look to modernize and stay in-line with customer and government expectations for risk mitigation.

Learn more from industry experts about DORA and how to drive resilience with the right security measures and tools in our Securing the Future of Finance webinar.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.