Preparing for DORA: Ensuring Compliance and Governance for Digital Operational Resilience

According to the International Monetary Fund (IMF), cyberattacks have more than doubled since the pandemic, with financial firms accounting for one-fifth of the total attacks. Monitory losses have quadrupled since 2017 to 2.5 billion, and this does not account for the indirect losses like the loss of customer confidence in financial institutions.  With cyberattacks rising exponentially and financial institutions a primary target for cyber criminals, operational resilience is crucial for the continuity and security of this industry. The European Union's Digital Operational Resilience Act (DORA) aims to ensure that financial entities are well-prepared to withstand, respond to, and recover from all types of Information and Communication Technology (ICT) disruptions and threats. As DORA sets forth a robust regulatory framework, financial entities need to take strategic actions to meet its compliance and governance requirements. There are key steps for organizations to effectively prepare for DORA, focusing on actions necessary to align with its requirements. 

Understanding DORA: A Brief Overview

DORA, introduced by the European Commission in September 2020, is part of the broader Digital Finance Strategy. Its primary objective is to harmonize ICT risk management requirements across the EU financial sector, enhancing the resilience of financial institutions against ICT-related disruptions. DORA applies to a wide range of financial entities, including banks, insurance companies, investment firms, and third-party ICT service providers.  The regulation is structured around five key pillars: ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing.

DORA regulations are designed to increase protection and resiliency of customer data, minimizing risks in the tech supply chain, and ensuring business resiliency in the event of a cyber incident.  Financial organizations must start preparing now to be able to meet the January 2025 implementation date.  If they fail to prepare the penalties it could result in up to 2% of the total annual turnover and 3rd party ICT service providers could face fines up to €5 Million.

Key Recommendations for DORA Regulation Articles:

Per Article 5 of DORA: 

“Financial entities shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk”

To comply with DORA, companies need robust information governance and compliance measures. Veritas Data Insight and Dark Data Assessment can be used to create an inventory of all ICT assets, data flows, and processes, and classify data based on sensitivity and criticality.  This helps ensure proper handling and protection of unstructured data, particularly sensitive data. Additionally, developing and documenting comprehensive ICT risk management policies and establishing procedures for identifying, assessing, and mitigating ICT risks is crucial. 

Veritas Enterprise Vault & Veritas Alta™ Cloud Archiving can assist in aligning ICT risk management practices with DORA requirements and other relevant regulations and conducting regular audits to verify compliance with internal policies and external standards.  This powerful tool can archive from over 120 sources, including live sources such as Microsoft Teams, SharePoint, and OneDrive.  It provides a granular review and analysis of your communications data to meet stringent compliance regulations like, the General Data Protection Regulation (GDPR).  

To Learn More about Veritas Alta™ Archiving watch this video:

Providing tools for policy management, data classification, and retention is essential. Veritas Alta™ Information Governance helps organizations establish and enforce robust policies that ensure data integrity and compliance with regulatory requirements across many geographies (i.e. GDPR or CCPA).  By classifying and retaining data according to predefined policies, financial entities can ensure that their ICT governance frameworks are compliant and managed at scale.  Veritas Information Governance utilizes advanced AI to automate the data classification and management process without sacrificing human oversight to ensure that governance policies are consistently applied across the data landscape.  

To learn more about Veritas Information Governance watch this video:  

Additionally,  Veritas Alta™ eDiscovery can assist organizations to efficiently respond to legal and regulatory inquiries by identifying, preserving, and retrieving relevant data.  This powerful tool has robust search, and analytics features that facilitate the thorough examination of data, ensuring that all relevant information is accessible and protected throughout the legal process.  The integration of eDiscovery with Information Governance ensures that data is managed and governed from creation to disposal, providing a seamless and compliant ICT governance structure.  Together, they ensure that financial entities can maintain effective ICT controls, reduce legal risks, and comply with DORA requirements.  

To learn more about Veritas eDiscovery watch this video:  

Per Article 12 of DORA: 

“Financial entities shall set up backup systems that can be activated in accordance with the backup policies and procedures, as well as restoration and recovery procedures and methods…Testing of the backup procedures and restoration and recovery procedures and methods shall be undertaken periodically.”

Developing a comprehensive testing framework and running recovery/resiliency rehearsals that includes vulnerability assessments, penetration testing, and scenario-based testing is necessary. Veritas InfoScale & Veritas Alta™ Enterprise Resiliency are built to provide high availability and redundancy at scale.  Both can help maintain detailed records of all resiliency tests conducted, including findings, remediation actions, and lessons learned. This testing can take place without disrupting the production environment with the resiliency rehearsals feature.  Regular resiliency testing ensures ongoing preparedness, and analyzing test results to identify weaknesses and areas for improvement is crucial to meeting both recovery point objective (RPO) and recovery time objectives (RTO). Findings should be reported to senior management and relevant stakeholders, with remediation plans implemented as needed. 

To learn more about Veritas Alta™ Enterprise Resiliency watch this video:  

Per Article 19 of DORA: 

“Financial entities shall report major ICT-related incidents to the relevant competent authority” 

Developing and maintaining internal communication channels for sharing threat intelligence and incident information across the organization is crucial. Participating in industry information-sharing networks to exchange threat intelligence and best practices with other financial institutions can enhance preparedness and response. Promoting a culture of transparency and openness regarding ICT risks and incidents ensures timely and accurate sharing of information with regulatory authorities and industry peers. Detailed records of all information-sharing activities, including the nature of information shared and the entities involved, should be maintained.

The Digital Operational Resilience Act (DORA) is a major step forward in improving the resilience of the EU financial sector against ICT-related disruptions. By implementing strong information governance and compliance measures, and leveraging the Veritas Compliance and Governance portfolio, companies can ensure alignment with DORA’s articles and build a robust foundation for digital operational resilience. As the digital landscape changes, staying ahead of regulatory requirements with industry best practices will be key to maintaining a resilient and secure financial ecosystem.

To learn more about how Veritas solutions can help you prepare for DORA, check out this blog from Tim Burlowski, Global Lead, Cyber Resiliency:  Building Cyber Resilience:  The Cornerstone of DORA Compliance.