Exploring DORA: Why creating a path to resilience maturity is a critical success factor for financial services organisations

DORA (the Digital Operational Resilience Act) recently came into force and will soon impact thousands of financial services organisations across the European Union (EU). In this blog, my colleague Clara Lemaire and I share some insights about the requirements of DORA, as well as how Splunk can support financial services organisations on their resilience journey. Let’s explore DORA!

What is Operational Resilience?

There are many definitions of Operational Resilience, but the one I use the most frequently is:

‘the ability of an organisation to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets and overall brand equity.’

I like this definition because it alludes to the fact that there are many types of disruption that threaten the ability of (financial services) organisations to maintain high levels of operational resilience; examples include technology issues, security threats and political / economic instability but there are many others. Perhaps more importantly than this though, the definition refers to the direct link between being resilient and positive business outcomes. Being resilient drives brand equity, which in turn affects business performance.

The pandemic changed the face of retail financial services forever when it effectively forced many consumers to migrate to digital channels. The challenge that this presented for financial services organisations was quickly apparent as many struggled to deliver key business services. This was not the first time that the industry has struggled with operational resilience though, as is evidenced by a large fine recently issued by the Financial Conduct Authority (UK regulator) to a bank for ‘operational risk management and governance failures i.e operational resilience’ which took place in 2018. 

The collective struggles of the industry in relation to operational resilience have led to new regulations being introduced in many juristictions. Most notably the UK regulators introduced operational resilience guidelines which all financial services organisations need to prove they can adhere to by 2025. Many other regulators globally are following their lead. 

What is DORA and when was it introduced? 

The European Commission published its proposal for a Digital Operational Resilience Act (DORA) in September 2020. At the time, the EU realised that there was no consistent framework for managing risks stemming from the reliance of financial services organisations on Information and Communication Technology (ICT). “ICT risks continue to pose a challenge to the operational resilience, performance and stability of the EU financial system”, the Commission noted.

After two years of negotiations, the legal text was finally approved at the end of 2022, and entered into force on 16 January 2023.  It will apply from 17 January 2025. By then, European Supervisory Authorities will develop more than two dozen Regulatory Technical Standards (RTSs) to specify measures of the Regulation and help financial services organisations to comply. 

DORA is an EU regulation - as such, it will be directly applicable into national legislation and will not require transposition by the 27 EU Member States. There are very few areas in the text that are left to Member States’ discretion.  

What are the requirements of DORA for financial services organisations? 

DORA establishes four key requirements that financial services organisations need to comply with:

Requirement 1: Governance and ICT Risk Management

Financial services organisations are required to set-up and maintain resilient ICT systems and tools that minimise the impact of ICT risk. Some of these risk management measures are aligned to the capabilities of Splunk (see image), including monitoring and identifying sources of ICT risk and detecting anomalous activities.

Fig 1 (Right). Six steps for managing ICT risks

Requirement 2: ICT-related incident management, classification and reporting

The Regulation includes a general requirement for financial services organisations to establish and implement a management process to monitor and log ICT-related incidents. They also need to classify incidents and determine their impact based on a list of criteria.

Only “major incidents” shall be reported to national competent authorities. There are three reporting steps: 1. an initial notification; 2. an intermediate report, “as soon as the status of the original incident has changed significantly”; and 3. a final report, “when the root cause analysis has been completed”.  The time limits for each step will be established through Regulatory Technical Standards, as well as the format of the reports.

Requirement 3: Digital operational resilience testing

Financial services organisations must also establish and maintain a sound and comprehensive digital operational resilience testing programme in order to assess their preparedness for handling ICT-related incidents, identifying weaknesses, deficiencies and gaps in operational resilience, as well as promptly implementing corrective measures. 

Requirement 4: ICT third-party risk management

The management of ICT third-party risk is considered a full component of ICT risk. Beyond measures applicable to all third-parties, DORA also includes a specific oversight framework for critical third-party service providers. 

Which companies will be considered to be a critical provider? Providers whose failure could have “a systemic impact on the stability, continuity or quality of the provision of financial services”, or providers who are not easily substitutable by another provider. All critical providers will be identified at a later stage by supervisory authorities.

How can Splunk support financial services organisations to become more resilient?

In a previous blog post, I highlighted the importance of using data to provide a holistic view of the risks associated with any potentially destabilising event to improve operational resilience.

Splunk is well placed to support financial services organisations to do this. It is also able to support the key requirements of DORA - and most notably Requirement 1. Governance and ICT Risk Management and Requirement 2. ICT-related incident management, classification and reporting. Fig 2 (below) provides a high-level summary of the capabilities of Splunk which align with the DORA. Critically, Splunk’s unified platform can deliver across both security and observability domains. 

Fig 2. How can Splunk improve Operational Resilience?

From a purely regulatory perspective, using data to deliver improved MTTR (Mean Time to Respond) for any disruption is fundamental for providing the proof that all incidents have been managed effectively. In addition to proving regulatory compliance, the same data can often also be used to deliver the insights required to constantly evolve and improve product and service offerings.

The future: so what does good look like?

The future operating environment appears to be even more uncertain. In response to the unstable outlook, the European Parliament has published a paper on geopolitical risks and banking sector vulnerabilities, which focuses on the increased level of cyber attacks as well as the impact of the energy crisis. These are just two of the many potentially destabilising events that have increased the need for improved resilience and risk management recently.

In order to improve resilience, most organisations will go on a maturity journey which will start with obtaining foundational visibility and then build on this over time to ultimately achieve optimised experiences. Splunk’s view of the resilience maturity journey is summarised in Fig 3 below.

Fig 3. Splunk’s Operational Resilience maturity framework

Delivering exceptional customer experiences is typically the ultimate goal for financial services organisations and the journey they will go through in order to achieve this will lead them to naturally address the requirements of DORA. The dual goals of maintaining regulatory compliance and optimising the customer experience are therefore inextricably linked, which is why the ability to achieve resilience maturity is now a precursor for long term business success.