ISV Ecosystem - Group home

How DORA Changes the Cybersecurity and Data Resiliency Landscape for Financial Entities


What keeps you up at night? Is it the sheer volume of data? Manual recovery processes? Mainframe skills and application knowledge gaps? Silos of responsibility? If so, you’re not alone. These are among the operational resilience challenges Gartner identified in a 2022 report.

“Applications and APIs are expanding to make more business functionality accessible,” according to the Gartner 2022 Planning Guide for Security and Risk Management. “Along with these trends, security and risk management professionals are facing an increasing number of hazards from a growing and varying threat environment.”

With these trends come additional risk. To ensure these risks are taken seriously, the European Union seeks to strengthen the IT security of financial entities with the Digital Operational Resiliency (DORA) legislation. The legislation affects not only banks, insurance companies and financial markets in the EU, but also organizations that conduct business with these financial entities.

It’s easy to understand why DORA has been enacted. The basic requirement of DORA is that businesses will ultimately be able to demonstrate to auditors that their technology infrastructure provides the capabilities to recover from any issue: be it a cyber attack, a data breach or a simple accident where critical information is inadvertently deleted by a user. 

Further, DORA takes an all-inclusive view. A business is responsible for its IT environment as a whole, and not simply the machines it operates on the raised floor. Your IT staff may consist of admins and storage architects. You may have workloads running both on-premise and in cloud environments offsite. To DORA, it's all the same, and your business is responsible for every bit of it. Whatever might happen, you must be able to prove that you have all the pieces in place to swiftly recover.

Operational Resilience and DORA’s Requirements

Though there are many definitions of Operational Resilience, I believe Gartner’s Information Technology Glossary sums it up. "Operational resilience is defined as initiatives that expand business continuity management programs to focus on the impacts, connected risk appetite and tolerance levels for disruption of product or service delivery to internal and external stakeholders (such as employees, customers, citizens and partners).”

Ireland's International Financial Services Centre (IFSC), outlines the key DORA dates and milestones. Entities that violate the act's requirements may face fines of up to 2% of their total annual worldwide turnover or, in the case of an individual, a maximum fine of EUR 1,000,000, according to IFSC.

Though DORA is focused on the financial industry, its impact will be felt throughout the business world. While other nations and certain industries are adopting similar measures such as the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), DORA, which will be phased in by January 2025, may be the most significant development to date in the area of cybersecurity and data resiliency.

Building Resiliency and Cybersecurity Into Your IT Framework 

It's an obvious but also an important point: Getting current on mainframe hardware and software is a critical first step toward achieving cybersecurity and data resiliency. If you're three generations back on hardware or you’re running five back levels of z/OS, your organization simply won't be as secure as it could be. z/OS V2.5, released in 2021, boasts an array of security and data privacy capabilities.  And of course, the IBM z16 debuted in 2022.

Tools are another critical consideration. The IBM Z Batch Resiliency management solution (IZBR) provides a single point of control for IBM Z backup and recovery audit and control. The automated tool manages applications and non-database managed data (e.g., VSAM, sequential, batch, etc.) And for those who have an air-gapped copy, it provides an inventory of and can surgically recover ALL data sets from Db2 to IMS and PDS, etc., making it an ideal fit for the DORA framework.

DORA Changes the Data Resiliency Game: Stay Ahead of It

In certain respects, I believe DORA is telling us to go back to the old standards. Very few organizations do true testing at all anymore. Today, we test the hardware and fail it over. We test specific applications. We don’t practice restoring our business after an event. We must be able to run our business after a restore. It HAS to work!

But DORA raises a question: Have you sufficiently built into your operational frameworks the resiliency that they need? That’s important because we don't know our data the way we once did. Knowing your data doesn't happen by simply making copies of it. We need to get back to doing good old-fashioned data backup and recovery, where we actually understand our data, how it’s used and where it’s backed up. To be truly operationally resilient, we must make sure the right data backed up for the right amount of time, with the ability to recover quickly and effectively, no matter what the event is.

Much will change with DORA. It will change business—and it will assuredly erase the silos between applications, operations and storage. DORA leaves no choice other than for these groups to work together to address the problem and create the solution.

We no longer can rely on manual efforts or how we have always done it. We are modernizing applications and we are proving that the mainframe platform is a platform of the future. IZBR can help your organization improve resiliency to meet the requirements outlined in DORA. To learn more about IZBR, contact us at or +1 800-555-6845.

#ibmchampions-highlights #ibmchampions-highlights-home