What is the impact of the Digital Operational Resilience Act (DORA) on my IT?

If you’re in banking, you know the drill. Adhering to stringent EU regulations is ‌standard practice. This involves undergoing extensive audits, closely managing IT assets, maintaining your CIA (Confidentiality, Integrity, Availability) rating, conducting and responding to fire drills‌ and establishing continuity plans. So far, nothing new, and if you’re in other highly regulated environments, you know that these measures are commonplace.

As an IT manager at ING, one of the larger banks in the Netherlands, these tasks were part of my daily routine. It was very clear to me that maintaining control was super important. Everything I did had a primary focus: managing IT risk.

With the Digital Operational Resilience Act (DORA), there’s a surge in attention towards IT risk management. This has implications across different levels within organizations:

• For engineering managers, this means ensuring adherence to best practices in software development and system architecture to bolster operational resilience. 
• Senior decision-makers will have to allocate resources and prioritize initiatives that support DORA compliance. 
• IT teams are responsible for implementing measures to achieve DORA compliance. 

All of this is to say, “It’s time to be DORA Compliant.”

As the financial industry reinforces this significant regulatory change brought about by DORA, the importance of comprehensive IT risk management has never been clearer. In this landscape of stringent audits and complex compliance demands, SUSE can help out by offering an observability solution that transcends traditional IT monitoring.

This blog shows how SUSE can help organizations meet DORA requirements. It also changes how they see and manage IT risks, so that they are more resilient and efficient.

Introducing Digital Operational Resilience Act (DORA)

With DORA now in effect, Information and Communications Technology (ICT) Risk takes center stage. You might be wondering if your company is prepared to deal with DORA or, more importantly, what additional steps need to be taken to ensure readiness. Compliance with this new EU Regulation 2022/2554 may be a top priority. 

Let’s explore a specific part of the new DORA regulation and highlight how SUSE can assist. Sections 2, chapters 6 to 16 are particularly relevant. 

We’ll aim our focus on how ICT Risk Management is shaped within the following five topics: 

1. Identification
2. Protection and prevention
3. Detection
4. Response and recovery
5. Learning and evolving

Let’s avoid the theoretical framework and break down the topics above into actionable steps, helping you understand what it means to apply them in practice.

Topic 1: Identification

For IT managers navigating DORA’s requirements, the key focus of the ‘identification’ section is the thorough documentation and classification of all IT-supported business functions, information‌ and ICT assets, including their roles and interdependencies. 

This involves continuous assessment of ICT risks, regular reviews‌ and updating records after significant infrastructural changes. Mapping and inventory maintenance of all ICT assets is super important, as is the documentation of processes reliant on third-party ICT services.

This strict process of finding and documenting risks helps create a strong foundation for managing and reducing ICT risks. This is in line with DORA’s goal of making financial organizations more resilient. While tools like CMDB can be helpful for tracking inventory, in my experience as an IT manager, it’s difficult to keep them completely up-to-date and aligned with what’s really happening.

Topic 2: Protection and prevention

To meet DORA’s ‘protection and prevention’ requirements, financial entities need to consistently monitor and control their ICT systems for security and availability. This includes implementing suitable security and monitoring tools, as well as policies and procedures, to minimize the impact of ICT risks from the start.

Financial entities will need to develop and put into action ICT security policies focused on resilience and data protection. These policies should address aspects like data transfer, minimizing data loss or corruption, ensuring data availability and protecting against management risks. Key components of the policy should include access control, robust authentication methods, encryption, change management‌ and patch management.

In addition, we have to emphasize the significance of system availability and ongoing monitoring. These elements are essential for maintaining operational resilience and guaranteeing that financial services remain uninterrupted. You’ll find that effective observability enables early detection of possible security issues while prioritizing system availability ensures continuous access to critical financial processes, which in turn protects the operational integrity of the institution.

Topic 3: Detection

For IT managers in financial entities, DORA’s emphasis on ‘detection’ involves establishing strong mechanisms to quickly identify unusual activities, such as network performance problems and ICT-related incidents. 

This includes establishing multiple layers of control, defining alert thresholds‌ and initiating incident response procedures. It also entails allocating adequate resources to monitor user activity and ICT anomalies, particularly cyber attacks.

Effective detection is key to preemptively identifying potential failures and safeguarding the resilience and security of financial systems. This approach aligns with observability practices, facilitating a more responsive and proactive IT environment.

Topic 4: Response and recovery

For IT managers, DORA’s sections on ‘response and recovery’ underscore the significance of having a thorough ICT business continuity policy in place. This policy should undergo regular testing and updates, particularly following noteworthy changes in ICT systems. It involves creating detailed response and recovery plans, performing business impact analysis‌ and upholding crisis communication protocols.

This guarantees not just the quick resolution of ICT-related incidents but also ensures that ICT systems align with the broader business continuity strategy. The aim is to minimize disruptions to critical functions while continuing to provide seamless operations.

Topic 5: Learning and evolving

The ‘learning and evolving’ section of DORA stresses the importance of continuous improvement in digital operational resilience. Financial organizations are tasked with gathering and analyzing data on vulnerabilities, cyber threats‌ and ICT-related incidents to bolster their resilience. However, real progress occurs during post-incident reviews, where disruptions are evaluated and ICT operations are refined.

Regular monitoring and updating of the digital operational resilience strategy is just as important as staying informed about technological advancements. Training programs in ICT security and resilience should be mandated for all staff, including senior management, to establish a proactive and informed approach to managing ICT risks.

How SUSE Observability supports enterprises navigating DORA compliance

SUSE Observability can be incredibly helpful in numerous aspects of this IT risk framework. By providing the tools and insights needed for every stage of compliance and resilience building, our full-stack observability solution aims to meet — and exceed — the requirements outlined by DORA.  Here’s how: 

1. Identification — By utilizing SUSE Observability’s automated processes for monitoring, correlating‌ and analyzing topology changes and metrics, businesses can establish a strong foundation for understanding all IT assets — and their relationships — within their environment. This includes understanding when components are added or removed.
   
2. Protection and prevention — SUSE Observability’s out-of-the-box monitors bring all your business apps together in a single view and provide continuous data correlation to help you proactively safeguard the end-user experience. By offering a comprehensive 360-degree view of your entire mission-critical infrastructure, it fosters cross-team collaboration and drives innovation.
3. Detection — By capturing and displaying real-time data alongside historical data, our dynamic topology facilitates quicker issue identification and better troubleshooting. Coupled with our dependency maps, which plot all interdependency changes over time, SUSE Observability alerts your engineers to issues as they occur. This allows them to easily diagnose the root cause for faster and more thorough resolution.
4. Response and recovery — SUSE Observability abilities in event correlation, topology intelligence‌ and time-travel insights facilitate the development of comprehensive ICT business continuity policies backed by detailed ‘response and recovery’ plans, business impact analysis‌ and the upkeep of crisis communication protocols. Additionally, SUSE Observability remediation guides ‌assist engineering teams in quickly troubleshooting and resolving detected issues.
5. Learning and evolving — SUSE Observability fosters continuous improvement in digital operational resilience. After issues are detected, resolved‌ and thoroughly analyzed through a postmortem process, the insights gained can flow back into new or adjusted policies and remediation guides. These efforts aim to prevent similar issues in the future and expedite remediation if they do recur.

Rest assured, with SUSE Observability, you’re ready for DORA

In an era where digital transformation drives business innovation, DORA’s regulations present both challenges and opportunities for IT teams across the financial sector. 

With SUSE Observability, IT teams can confidently meet DORA’s requirements, ensuring their IT infrastructure is not only compliant but also optimized for resilience and excellence.

We invite you to explore the world of full-stack observability by contacting us or by downloading our e-book for more insights.