Increased digitization and interconnectedness have enabled remarkable scale, speed, and cost efficiencies for businesses. However, the same technology can cause business disruptions. When disrupted businesses include those in critical industries such as financial services, results could be disastrous – economic challenges, social unrest, and geopolitical upheaval – so this is driving increased regulations around digital sovereignty and operational resiliency.

The Digital Operational Resilience Act, or DORA, is a European Union (EU) regulation that creates a binding, information and communication technology (ICT) risk management framework for the EU financial sector. DORA establishes standards that Financial Institutions (FIs) and their critical third-party technology service providers must implement by January 17, 2025 to foster a universal framework for managing and mitigating ICT risk in the financial sector.

Key drivers for DORA include making the European Union financial sector more resilient by harmonizing regulatory and supervisory approaches across European Union member states for a level playing field and smooth functioning of the internal market. DORA constitutes a ‘Lex Specialis’ for the financial services sector, implying it takes precedence over related requirements, most notably  the Network and Information Security directive (NIS-2).

Alignment with DORA is likely to benefit FIs and third-party service providers by operationalizing harmonized industry best practices for risk management, incident response, operational resiliency, and third-party risk management. These best practices, when translated into policies, procedures, and templates, can guide a robust infrastructure, enhanced cybersecurity, and resilient systems, helping FIs to enhance their process maturity, thereby providing a competitive edge. DORA alignment may enable third-party service providers to reassure their clients that their data, applications, and assets are secure and resilient in case of disruptions. It can help reduce the risk of data breaches and consequently avoid hefty penalties and reputational risk in case of a breach. Likewise cloud service providers may have an opportunity to proactively evaluate their operational resiliency and become a trusted provider for their clients in financial sector.

DORA requirements and supporting IBM Cloud capabilities

The DORA Regulation was formally adopted in November 2022, with further requirements to be specified in Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). The first set of final draft technical standards were submitted to the European Commission on January 17th, 2024, and a second set of technical standards will be submitted to the European Commission by July 17th 2024. These standards are expected to be finalized in 2024 and complement DORA’s legislative text once they come into force. At the same time, the European Commission has developed a Delegated Act that further specifies the criteria for the designation of ICT third-party service providers as critical. Once the Delegated Act is adopted, the European Supervisory Authorities (ESAs) will designate the critical ICT third-party providers in scope of Oversight by the ESAs. When DORA applies from January 17, 2025, compliance must consider alignment with the RTS and ITS.

DORA establishes requirements for FIs and ICT providers across the following domains:

1. ICT risk management and governance
2. Incident response and reporting
3. Digital operational resilience testing
4. Third-party risk management
5. Information sharing

1. ICT risk management

The management body of financial institutions (FIs) has the ultimate responsibility of managing and controlling the firm’s ICT risk. Covered FIs are expected to develop comprehensive ICT risk management frameworks, map their ICT systems, identify, and classify critical assets and functions, and document dependencies between assets, systems, processes, and providers. FIs must conduct continuous risk assessments on their ICT systems, document and classify cyberthreats, and mitigation measures. FIs are required to maintain a register of information about contractual arrangements with third-party ICT service providers, conduct pre-contract due diligence and align its contractual provisions accordingly. FIs will also need to establish business continuity and disaster recovery plans for various cyber risk scenarios, including plan for data backup and recovery measures, system restoration processes and plans for communicating with affected clients, partners, and the authorities. 

As an enterprise cloud for regulated industries, IBM Cloud’s alignment with industry standards and certifications like ISO 27001, ISO 22301, PCI DSS, provides a solid foundation for meeting DORA requirements. IBM Cloud introduced IBM Cloud for Financial Services, to support clients in mitigating their ICT risks, addressing regulations, and accelerating their cloud adoption.

IBM enables FIs to mitigate their third-party risks, when using IBM Cloud Financial Services validated services that meet the IBM Cloud FS control requirements. IBM Cloud Services and third-party managed services, that are labelled as IBM Cloud for Financial Services Validated,  in the IBM Cloud Catalog, leverage the industry’s highest levels of encryption certification, provide controls for financial services regulatory workloads, multi-architecture support and proactive, and automated security. Likewise IBM Cloud® Security and Compliance Center, an integrated solutions suite defines policy as code, implements controls, and assesses security and compliance posture, across hybrid multi-cloud environments  enabling FIs to continuously monitor their cloud assets, identify misconfigurations, and risks across hybrid multi-cloud. IBM Cloud Security and Compliance Center Workload Protection enables vulnerability scans for critical workloads, securing containers, Kubernetes, OpenShift and hosts with runtime security and forensics. IBM Cloud Data Security Broker, and IBM® Confidential computing solutions enable FIs with technical assurance achieving total data privacy assurance, even while systems and cloud administrators continue to manage the infrastructure without having access to the data. 

2. ICT incident response and reporting

FIs are required to establish systems for monitoring, managing, logging, classifying, and reporting ICT-related incidents. Depending on the severity of the incident, FIs may need to report to both regulators and affected clients and partners. FIs will be required to file three different kinds of reports for critical incidents: an initial report notifying authorities, an intermediate report on progress toward resolving the incident, and a final report analysing the root causes of the incident. IBM supports managing security incident response, for large, enterprise level issues a Customer Incident Report (CIR) is provided to FIs, including information about how services are impacted and how an issue is getting resolved. An interim CIR is followed with a final CIR supporting FIs in its reporting obligations to supervisory authorities. IBM Security X-Force® offers FIs with services for detection and recovery from incidents, and managed detection and response, and IBM Control Desk with Maximo® helps FIs manage and report critical assets, while IBM Cloud Security and Compliance Center Workload Protection can be used to enable FIs with runtime forensics and incident response for containers.

3. Digital operational resilience testing

FIs are required to test their ICT systems regularly to evaluate the strength of their protections and identify ‌vulnerabilities. The results of these tests, and plans for addressing any weaknesses, needs to be reported to and validated by the relevant competent authorities. FIs must carry out basic tests, like vulnerability assessments and scenario-based testing, once a year. FIs judged to play a critical role in the financial system will also need to undergo threat-led penetration testing (TLPT) every three years.

IBM Cloud enables FIs with resilient services by design having architecture with application level resiliency,  redundant deployments and fault isolation patterns, across the different IBM Cloud regions and data centers. To improve resiliency and business continuity of FI services, service data planes are designed to minimize dependencies on the control plane and continue to deliver their primary function even in cases of failures of the control plane. IBM Cloud enables FIs with high availability and disaster recovery, supports Disaster Recovery (DR) testing using DR dry-test, simulation and switch-over to a DR site and conducts regular penetration testing with partners. IBM supports FIs conducting penetration testing of their VPC or Classic Infrastructure resources on IBM Cloud. IBM Cloud® Backup, a full-featured, agent-based backup and recovery system can be managed through a web interface. IBM Cloud maintains internal encrypted backups of FIs content within the same geography where the regional or zonal service is located for recovery in case of data corruption or a major data centre disaster. IBM Security® Guardium® Vulnerability Assessment scans enables FIs to detect vulnerabilities and get suggested remedial actions - both on-premises and in the cloud, based on benchmarks from STIG, CIS, CVE, and other configuration standards. IBM Security X-Force® Red Penetration testing enables penetration testing for FIs applications, networks, hardware and personnel to uncover and fix vulnerabilities that expose their critical assets to attacks.

4. ICT third-party risk management

FIs are expected to play an active role in managing ICT third-party risk. When outsourcing critical and important functions, FIs must negotiate specific contractual arrangements regarding exit strategies, audits and performance targets for accessibility, integrity and security, among other things. FIs will not be allowed to contract with ICT providers who cannot meet these requirements. The competent authorities are empowered to suspend or terminate contracts that don't comply. A further step that DORA takes with respect to managing ICT third-party risk, is the subsequent designation of ICT third-party service provider as critical, by the ESAs. Critical ICT third-party service provider based within or outside of the EU, will be subject to direct oversight from the ESAs, with one of the ESAs acting as the Lead Overseer for each individual ICT third-party service provider. DORA oversight framework for critical ICT third-party service providers will include a considerable amount of regulatory engagement on the various DORA requirements and compliance with them, as well as investigations, inspections, and remediation of regulatory recommendations. Critical ICT third-party service providers found non-compliant with the Lead Overseer’s recommendations can be subject to penalties of up to 1% of the average daily worldwide turnover in the preceding business year.

IBM Cloud's global network of locations provides FIs flexibility of choosing where they want to run their workloads. IBM Cloud ensures that FIs critical data and workload (as defined in the IBM Cloud Service Agreement) is stored and processed in the selected region location in accordance with IBM Cloud Data Processing Addendum and IBM Cloud Terms site. FIs can securely tap into third-party capabilities, innovations without having to compromise on their risk posture by leveraging Financial Services Validated IBM Cloud services or third-party services which have evidenced compliance to the controls of the IBM Cloud Framework for Financial Services®. Additionally, IBM Consulting^TM  and IBM Software can enable FIs  with services in support of third-party risk assessment, risk governance and controls for third party risk management.

5. Information and intelligence sharing

FIs must establish processes for learning from both internal and external ICT-related incidents. DORA encourages FIs to participate in voluntary threat intelligence sharing arrangements. IBM Cloud Pak® for Security provides FIs a platform to quickly integrate their existing security tools to generate deeper insights into threats across hybrid, multicloud environments. IBM X-Force® Threat Intelligence Services   leverages a team of world-class intelligence analysts to help FIs understand how the threat landscape is changing, the latest techniques threat actors are using, and mine insights from malware reverse engineering, dark web research, and vulnerability tracking to better secure their environments

Looking ahead

Given the tight timelines for implementing DORA, even while the technical standards get finalized, it is important that FIs engage with their technology partners and third-party service providers for discussions on DORA readiness. IBM continues to actively monitor the finalization of DORA technical standards and partnering with our clients to support with their readiness for DORA, building awareness and strengthening operational resilience capabilities, while maintaining the dialogue with our ecosystem stakeholders.

Authors: Vivek Kinra and Sumit Yadav

Legal disclaimers:

© Copyright IBM Corporation  2024

This blog is provided for informational purposes only.

IBM is committed to helping our clients and prospects with the knowledge to enable them to make decisions regarding their own client base needs.

The intended audience for this blog is legal and compliance experts seeking to understand Europe Unions’ regulatory guidelines as they migrate to the cloud.

Clients are responsible for ensuring their own compliance with various applicable laws and regulations. Clients are solely responsible for obtaining professional legal advice as to identifying and interpreting any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. IBM does not provide legal, accounting or auditing advice. IBM also does not represent or warrant that its services or products will ensure that clients are compliant with any applicable laws or regulations