How can platform engineering be used to ensure compliance with the Digital Operational Resilience Act (DORA)?
On 16 January 2023, the European Union (EU) introduced the Digital Operational Resilience Act (DORA), a law to strengthen the operational resilience and ICT risk management of the European financial sector and its key ICT services suppliers. The legislation heavily affects how financial entities and their partners approach cyber risks.
The Digital Operational Resilience Act will apply as of 17 January 2025, but some local regulators may require earlier compliance.
Read this article to learn how platform engineering can help achieve DORA compliance.
What is DORA regulation?
Digital Operational Resilience Act (DORA) is an EU-wide regulation that provides a standard ICT risk management framework and rules for the financial sector. It applies to nearly all financial entities within the European Union, including banks, insurance companies, and investment firms, as well as their critical ICT third-party service providers, including cloud infrastructure providers and managed IT services vendors.
DORA regulation requires financial entities and their ICT third-party service providers to implement cyber security strategies to protect themselves against cyber incidents that could affect their critical functions.
DORA’s requirements for the financial sector
According to the Digital Operational Resilience Act, companies in the financial sector must implement specific measures in five key areas: ICT risk management, oversight of third-party providers, digital operational resilience testing, reporting of ICT-related incidents, and information sharing.
1. Improving ICT risk management capabilities
DORA provides financial organizations with principles and requirements for creating a robust ICT risk management framework and addressing risk factors such as cyber-attacks, ICT disruptions, and third-party provider issues.
2. Setting clear guidelines for incident reporting
Under DORA regulation, banks, insurance intermediaries, investment firms, and other companies in the sector must track and report ICT incidents to European supervisory authorities based on specific criteria outlined in the legislation.
3. Perfecting third-party service providers risk management
Organizations in the financial sector must manage risks from critical third-party ICT providers through measures like due diligence, risk assessment, and contractual audits. Under DORA regulation, such providers must maintain a physical presence in an EU member state.
DORA mandates Regulatory Technical Standards (RTS), including annual testing of critical services and business continuity plans. "Stressed exit plans" and escrow agreements are essential for compliance, ensuring continuity during vendor disruptions or insolvency. For instance, software escrow agreements grant access to source code, allowing uninterrupted operations despite vendor failures, minimizing downtime and mitigating ICT risks.
4. Implementing digital operational resilience testing
The Digital Operational Resilience Act urges the financial sector to develop its digital testing capabilities and describes basic and advanced digital operational resilience testing principles. According to DORA, all financial entities in the EU must regularly test their ICT systems to identify and address ICT risks.
5. Threat intelligence information sharing
Lastly, the DORA regulation calls for cooperation between financial services companies and European supervisory authorities regarding exchanging information, data, and intelligence on cyber threats to strengthen collective cyber security defenses across the European Union.
The three European Supervisory Authorities (ESAs) responsible for the oversight cooperation and information exchange are the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority.
Platform engineering as a solution for achieving compliance with DORA regulation
The Digital Operational Resilience Act sets strict standards for the financial sector and its ICT third-party service providers to improve digital risk management and ensure business continuity for financial entities, securing financial stability across the EU.
With the January 2025 compliance deadline fast approaching, financial services organizations must adopt solid technology frameworks to meet these requirements. Maxima Consulting provides the services, adequate tools, and infrastructure needed to achieve DORA compliance using our platform engineering solution - Cloud Orbit. This a robust solution that can quickly improve digital operational resilience.
Send us a message today, and we will schedule a complimentary consultation to discuss how Maxima Consulting can support your DORA compliance journey.
