DORA, a backpack of recommendations
Although you’re used to us talking about operational efficiency, this time we’re going to discuss regulation and compliance. Specifically, we want to clarify some doubts about DORA. And no, it’s not the one with the backpack.
DORA (Digital Operational Resilience Act) is a legislative initiative of the European Union aimed at establishing a solid and coherent regulatory framework for managing Information and Communication Technology (ICT) risks, initially in the financial sector. However, it is very likely that it will extend to other economic sectors.
The seed of this regulation lies in the growing concern about cybersecurity. With digitalization and the full digital support of businesses, all efforts must be made to preserve stability and confidence in financial markets.
It came into force on January 17, 2023, and will become mandatory from January 17, 2025. This gives us less than a year to prepare, adapt to the new requirements, and ensure compliance.
What is DORA?
DORA focuses on the operational resilience of financial entities and their external critical technology service providers. It will help us build capacities to anticipate, withstand, recover from, and evolve in the face of operational adversities, including cyberattacks, technical failures, or any other type of disruption.
The fact that the regulation also applies to service providers is an unmistakable sign that it will gradually extend to other sectors. This means that all enterprise service management (ESM) cycles will, in some way, be affected by the regulation. So, we will need to teach our artificial intelligences to be more proactive in these protection cycles, both reactive and proactive.
Benefits
The benefits of implementing DORA include:
- Improved risk management, by establishing a set of standards for managing ICT-related risks. The goal is to contribute to greater stability in the financial system.
- Data protection, by emphasizing the importance of data protection and management.
- Encouragement of innovation, by providing a clear and coherent framework in which innovations can facilitate the necessary adaptation of organizations.
- Coordination and cooperation, as it emphasizes the need for greater coordination between supervisory authorities at both national and European levels, enabling a more effective and unified response to incidents.
However, as we know, all regulations involve compliance. The first thing financial entities will need to do is perform a risk assessment and classify them according to their potential impact. One way to understand all value chains will be through the use of Process Mining tools, which, together with artificial intelligence algorithms, will highlight these potential risks.
Thanks to the identification of these evidences, organizations will be able to create their own alert and defense strategies, as DORA requires reporting significant incidents and keeping a record of them.
And all compliance involves analysis. It will also be necessary to conduct periodic tests to evaluate the entity’s resilience against potential adversities. A process mining tool can serve as a comparative compliance catalog.
Conclusions
DORA represents a step forward in consolidating a unified and solid approach to cybersecurity challenges in the financial sector. Its application will not only increase the operational resilience of financial entities, but also strengthen consumer confidence and the stability of the financial market as a whole.
And don’t forget the implications it will have for service providers, both in terms of cybersecurity and in the treatment and protection of data.
Entities that successfully adapt to this new regulatory framework will be better positioned to face the challenges and seize the opportunities of the digital era.
More regulatory information can be found at Eur-Lex.
