Search
A person using two-factor authentication for banking work.

Digital Operational Resilience Act: Key insights

Explore how DORA regulation strengthens digital resilience and how we can support its implementation

November 29 2024Edgar Bernhard

DORA regulation: A new normal for financial organizations starting 2025

The need for operational resilience increases as digital transformation reshapes the banking, financial services, and insurance industries. The Digital Operational Resilience Act (DORA), mandatory from January 2025, will enhance the financial sector's ability to resist cyber attacks, outages, and disruptions. T-Systems can help companies meet DORA requirements ensuring seamless implementation.

Why DORA is important

DORA is a regulation by the European Union (EU) that mandates a comprehensive risk management framework for Information and Communication Technology (ICT) services in the financial sector within the EU. DORA empowers financial institutions to acquire the necessary strength to confront cyber threats in today's digital landscape. This includes finance, insurance, and similar sectors, where businesses need to protect their IT systems against cyber threats and interruptions in operations. 

The sector must follow the stringent guidelines set by DORA regulations to prevent ICT-related incidents since the law came into effect. DORA is specifically dedicated to ICT risk management, providing detailed guidelines for managing risks, reporting incidents, testing resilience, and monitoring third-party risks related to ICT. 

DORA aims to achieve several key objectives, such as: 

Addressing ICT risk management: The pandemic compelled the financial industry to adopt more digital tools to meet the online needs of the market. This resulted in more cyber security-related vulnerabilities and operational dangers. DORA helps financial organizations manage risks by setting up a comprehensive ICT risk management framework. It ensures that organizations are ready for system crashes, cyber assaults, and other risks.

Harmonizing regulations across the EU: DORA harmonizes regulatory requirements in the financial market across Europe, creating a unified framework for digital resilience. In doing so, DORA will replace specific national regulations such as BAIT (Supervisory Requirements for IT in Banks) and VAIT (Supervisory Requirements for IT in Insurance Companies) in the future. This simplification streamlines compliance processes, enabling financial institutions and their service providers to align with a central set of rules that establishes consistent standards and requirements across the European Union.

Enhancing digital resilience: DORA aims to strengthen the digital resilience of financial institutions. It helps organizations maintain operations during severe disruptions, ensuring they can protect customer data and maintain trust. DORA also highlights the significance of effective third-party risk management to reduce the risks from external vendors.

Getting ready for a digital future: DORA is essential for safeguarding institutions as the financial sector increasingly depends on ICT. It ensures they are well-prepared to face the challenges of a digitalized world, protecting market stability and customer trust. DORA guarantees that financial institutions can uphold services during crises, protect customer data, maintain trust, and preserve market stability by enhancing operational resilience.

Key requirements for DORA compliance

DORA regulation with the background of the EU map and flag.DORA regulation with the background of the EU map and flag.

DORA establishes essential technical standards for financial institutions and their ICT suppliers in four key areas. 

ICT risk management and governance: DORA assigns the task of managing ICT risks to the management body of each entity. Board members and senior executives need to actively determine and implement risk strategies while remaining knowledgeable about the changing ICT risk environment. Not following the rules could result in individuals being held personally responsible. 

Organizations need to develop thorough ICT risk management frameworks. This involves creating maps of ICT systems, recognizing important assets, and performing routine risk evaluations. Conducting business impact analyses is important to assess the consequences of disruptions, determine risk tolerance levels, and influence infrastructure design.

Incident response and reporting: Effective incident management is vital. Entities must establish systems to monitor and report ICT-related incidents. Depending on the severity, reports may be required for regulators and affected parties. This process includes initial notifications, progress reports, and final analyses of incidents.

Digital operational resilience testing: Regular testing of ICT systems is a cornerstone of compliance. Entities must conduct annual vulnerability assessments and scenario-based tests. Every three years, critical financial institutions will be subjected to penetration testing based on identified threats.

Third-party risk management: DORA expands its expectations to include ICT suppliers. Financial institutions should actively address third-party risks by negotiating exit strategies and audits in contract terms. Identifying external dependencies is crucial to avoid depending too much on just one supplier.

Consequences of non-compliance: Failure to adhere to rules may result in significant fines and harm to one's reputation. Companies could encounter more cyber security threats, raising the chances of digital interruptions. By following DORA, organizations can strengthen their ability to rebound from challenges and foster confidence in those invested in their success.

Overcoming compliance challenges

While DORA is critical for improving digital resilience, many organizations may face challenges when trying to comply with the regulations. Some common challenges include: 

IT complexity: The IT landscape can be very complex, especially where there is a large dependency on multiple third-party vendors in financial organizations. These complexities can pose challenges in meeting compliance.

High costs: Implementing the required systems for compliance can be expensive, particularly for smaller institutions with restricted budgets.

Shortage of specialized staff: Insufficiently skilled cyber security and risk management professionals can impede compliance efforts.

To tackle these challenges, organizations can take a few key steps: 

Partner with trusted experts: Partnering with experienced companies such as T-Systems, who have expertise in providing technology solutions, can make the compliance process smoother. With specialized knowledge and resources, they can help financial institutions navigate complex requirements with ease or look for suitable solutions together.

Embrace automation: Investing in automation tools can reduce the load related to continuous monitoring and reporting. This can also help meet DORA standards while streamlining operations and making compliance easy.

How T-Systems supports finance organizations with DORA compliance

For companies navigating the complex requirements of DORA, partnering with an ICT service provider such as T-Systems can be instrumental in achieving compliance. T-Systems specializes in providing tailored cyber security, cloud solutions, and operational resilience services to financial and insurance firms. Let’s see some of the key solutions T-Systems offers.

Technology plays a critical role in enabling DORA regulations. Financial institutions can automate security processes, monitor risks in real time, and streamline compliance efforts using advanced technology solutions.  

Cyber security services: With its solutions, T-Systems helps organizations establish a cyber security framework that protects against emerging digital threats and ensures data integrity.

Cloud solutions and infrastructure management: As financial firms migrate more operations to the cloud, T-Systems provides cloud management services that support scalability, security, and resilience.

Continuous monitoring tools: With real-time monitoring tools, T-Systems ensures that financial institutions have full visibility over their systems, enabling rapid detection and response to potential risks.

These solutions ensure that financial and insurance companies can meet the stringent requirements of DORA while maintaining operational efficiency and security. Through the strategic use of technology, financial institutions can simplify compliance with DORA, improving their ability to prevent disruptions and maintain resilience. 

Act now: Together we will overcome the DORA challenge

With DORA set to take effect in January 2025, financial entities must prioritize organizational security, enhance digital endurance, and strengthen operational resilience to protect against rising cyber risks. Addressing DORA challenges now will not only help avoid potential penalties, but will also lay a solid foundation for future stability by addressing current threats and reducing vulnerabilities.

Why partner with T-Systems?

As a recognized IT services provider in the EU region, T-Systems has built a reputation for its expertise in regulations and compliance, particularly in alignment with the stringent standards of the EU. T-Systems, with its deep understanding of the EU regulatory landscape, is uniquely positioned to support financial entities in their DORA compliance journey.  

Through tailored services in cyber security, risk management, and operational resilience, T-Systems ensures smooth navigation of the DORA requirements. Leveraging automated security solutions and real-time monitoring, T-Systems helps financial institutions stay ahead of risks while ensuring regulatory compliance, and maintaining uninterrupted service delivery even during times of disruption. 

Contact T-Systems today to begin building your resilient and compliant future. Only together will we overcome the challenge.

About the author
Edgar Bernhard

Edgar Bernhard

IT Regulatory & Compliance Expert, T-Systems

Show profile and articles

You might also be interested in

We look forward to your feedback

Do you have any ideas, suggestions, or questions on this topic? We cordially invite you to exchange ideas with us. Get in touch with us!
Do you visit t-systems.com outside of Germany? Visit the local website for more information and offers for your country.