What is the Digital Operational Resilience Act (DORA)?
The Digital Operational Resilience Act (DORA) is regulatory legislation proposed by the European Commission that seeks to improve the resilience posture of financial services organizations that operate within the EU. First introduced in September 2020, a provisional agreement on the DORA’s content was reached on May 11th, 2022. It is expected to be finalized later in 2022 and will have an aggressive timetable of implementation and final compliance by Q4 2024.
From these new regulations financial services organizations and Information and Communication Technology (ICT) third-party providers will need to focus on the following five key pillars of the DORA.
- Risk management - requiring a robust, well-documented ICT risk management framework to effectively deliver greater digital operational resilience.
- Incident reporting - requiring an ICT-related incident management process and the development of capabilities to monitor, handle, and follow up on such incidents.
- Digital operational resilience testing - obligations to implement a proportional and risk-based digital operational resilience testing program on an annual basis and penetration testing every three years.
- ICT third-party risk - maintains that ICT third-party risk should be managed by the financial services organizations as an integral component of their ICT risk management framework.
- Information sharing - defining a process to be put in place to share cyber threat information and intelligence, provided such exchange of information aims at enhancing the digital operational resilience of financial services organizations. This also takes place within trusted communities and is carried out in accordance with applicable legislation (e.g. data protection, trade secrets, and competition).
Financial services organizations will undoubtedly need to find best-of-breed solutions to address these pillars. In particular, the DORA’s recommendations for digital operational resilience testing are a fundamental capability of Cutover as our platform helps the world’s largest financial service organizations support their IT disaster recovery strategies.
Which organizations will be impacted by the Digital Operational Resilience Act?
The DORA is very wide and encompasses a range of financial services organizations operating in the EU, including banks, loan organizations, insurance companies, and auditors. The DORA also applies to the critical Information and ICT third-party providers (cloud and non-cloud), as defined in the regulation, that service the financial industry and could have a systemic impact on financial services provisioning in Europe. Examples of the financial services organizations regulated at the EU level that will be impacted by the DORA include:
- Capital markets
- Payment institutions
- Investment firms
- Credit rating agencies
- Crypto-asset service providers
- Crowdfunding service providers
- Trading venues
- Financial system providers
- Credit institutions
How to address the Digital Operational Resilience Act’s digital operational resilience testing pillar
For this key pillar of the DORA, financial services organizations will need to carry out a comprehensive digital operational resilience testing program at least annually. The DORA also has a specific provision that requires financial services organizations to ensure the involvement of ICT third-party providers in their digital operational resilience testing whenever applicable. Likewise, threat-led penetration testing will need to be undertaken by financial services organizations at least every three years and should be done with the direct participation of the relevant ICT third-party service providers.
Organizations under pressure to be compliant with the DORA will benefit from a dedicated platform with a collaborative automation approach that interconnects their teams, applications, and technologies to ensure that all tasks, both manual and automated, are addressed and auditable. Furthermore, organizations under the DORA will be subject to independent audits for operational resilience testing. This means that financial services organizations will need to provide detailed reports and logs to the regulatory authorities of the results from their ICT recovery tests.
The DORA digital operational resilience testing pillar also includes change management, requiring financial services organizations to check and prove that recovery plans are still relevant following any infrastructure changes, so it is important to have a templated and approved runbook library in order to stay within compliance rules.
How Cutover can help you comply with the Digital Operational Resilience Act
Built with the foundational purpose of enabling humans and technology to collaborate for IT disaster recovery strategies, Cutover provides you with the required recovery capabilities for success, including; hosting multi-team and technology recovery plans, performing planned or unplanned resilience testing, and recovering from actual events, all with visibility into execution analytics (e.g. Recovery Time Objective, Recovery Time Actual, etc.) and audit logs on the Cutover platform.
Cutover goes well beyond generic workflows or process management tools by enabling you to reduce both event planning and execution time with dynamic, automated collaborative runbooks that enhance visibility for stakeholders through reporting, audit, and analytics capabilities.
Using Cutover to regularly test service-based recovery plans allows you to measure recovery time achieved (RTA) and demonstrate that you can recover your applications and ICT services according to the demands of your supported businesses.
Cutover can be used no matter what kind of IT disaster recovery events you need to execute. In today’s world, organizations have on-premises, cloud-native, and hybrid cloud architectures. Since Cutover is a system of execution for IT disaster recovery strategies, our customers regularly use the platform to execute switchover events between their on-premises and cloud infrastructure or even cloud-to-cloud deployments, where production load is moved to an alternate data center site or cloud availability zone and remains. We also have customers that use the more traditional testing approach, where they simulate the loss of a primary site and move the production load across to an alternate site, perform testing, and then move the load back to the primary site. They perform this type of testing on a regular basis, with hundreds or thousands of applications and services all participating in a well-rehearsed, orchestrated event.
Cutover differentiates itself with scalable and proven dynamic runbook technology that underpins data center and application recovery plans. With Cutover you can quickly access a library of comprehensive, executable, and auditable recovery plans covering your entire IT application estate and their associated business owners.
At Cutover, we believe that one way financial service organizations can prepare for the upcoming DORA, as well as more recent regulation introduced by the FCA and PRA around support for important business services, is to adequately capture, test, and iteratively improve your organization’s recovery plans across your teams and technology.
A recent study by Forrester into the Total Economic Impact of Cutover found that Cutover customers saw a 20% reduction in incidents when using Cutover for resilience, resulting in a saving of nearly $1.3 million over three years.
The advantages of using Cutover for Digital Operational Resilience Act compliance
Cutover’s proven Collaborative Automation cloud solution interconnects your teams, applications, and technologies to strengthen your IT disaster recovery strategies. Cutover’s proven solution for operational resilience testing gives you confidence in your testing and live invocations as well as enabling you to:
- Plan your response: Through the use of runbooks you can detail all the recovery tasks required regardless if it is a planned, unplanned, or live invocation to a particular event or set of events. You can build a comprehensive, templated, and approved recovery plan library so you know exactly what will happen in your recovery strategies.
- Automate your recovery strategies by eliminating manual processes during planning activities and executions. With Cutover you can free teams from manual tasks to focus on higher-value activities.
- Create Cutover runbooks to cater to a variety of events, including responding to a cybersecurity attack or data center failure. Runbooks provide a set of instructions on how to fail over a particular service from one location to another or perform switchovers of production load to alternate sites.
- See a visual representation of your executable runbooks via the node map functionality; outlining the human and automated workflow of activities from start to finish.
- Rehearse to build muscle memory by using runbooks that can be dynamically edited in real time and provide a detailed audit trail that can be used for analysis and improvement. More frequent testing enables you to identify issues with recovery scenarios, such as missing steps and opportunities for automation, and ensure familiarity with the processes to be run in response to an incident.
- Move to unannounced testing which is the best predictor of disaster recovery success and can offer the most insight into how to modify processes and technology to better protect IT infrastructure.
- Integrate with a wide ecosystem across the IT resilience stack through our pre-built and custom integrations capability. Cutover enables you to have full flexibility for tight integrations via a REST API for the programmatic creation and execution of recovery plans. With Cutover you can easily integrate with a wide base of applications and sources including third-party IT service management systems and configuration management databases, such as ServiceNow or local proprietary-built applications.
- Communicate to keep your team informed through in-built communication features that allow for timely, clear, and effective communication in the midst of recovery, as well as during regular test events.
- Get real-time visibility during execution via custom dashboards that provide a clear view of how the event is progressing. You can understand how long an activity has taken vs the forecast time for that activity to see if you are meeting your recovery goals.
- Achieve DORA compliance with auto-generated audit trails that can be used to demonstrate dated compliance testing events and outcomes.