On 17 January 2023, the new Digital Operational Resilience Act (DORA) came into effect. This EU regulation seek to improve the security and resilience of financial institutions and their ICT service providers against digital disruptions and threats. It will apply to all financial institutions operating in the EU, including banks, investment companies, trading platforms, central counterparties, and other financial market infrastructure.

The new regulations will be mandatory starting on 17 January 2025, meaning that there is a two-year period to adapt to the requirements. The large-scale goals of the policy are as follows:

• To establish uniform requirements for risk management, governance, monitoring, reporting, testing, and auditing of financial institutions and their critical ICT service providers.

• To increase the resilience of financial institutions, focusing on the implementation of comprehensive business continuity strategies that guarantee the provision of services to customers in the face of disruptive events. Institutions must strengthen their disaster recovery plans and contingency and data backup systems.

• To create a coordinated oversight mechanism for critical ICT service providers and organizations operating in Member States, with the goal of avoiding overlaps and guaranteeing consistent application. The competent authorities will ensure compliance with the established regulatory framework, auditing organizations, which in turn must periodically report any relevant incidents or events.

• To improve information sharing and cooperation among the competent authorities and EU agencies in the fields of cybersecurity and digital operational resilience.

For GMV, the implications and challenges of DORA will play a major role in transforming architecture of financial institutions’ processes and systems. Notable aspects include the following:

• Integration of ICT risk at the highest level of management, establishing a model for calculating such risk in the event of any changes in the organization's ICT processes, systems, and providers.

• Comprehensive reformulation of continuity strategies:

  • Specific response capabilities and processes based on the type of incident.

  • Model for calculating the direct and indirect costs of the incident and the obligation to report them to the competent authority.

  • Activity log before, during, and after the incident.

  • New strategies for segmentation and immediate disconnection of networks and assets.

  • Structured and auditable plan for testing the entire system, supported by a continuous improvement plan.

• Expanded inventory of critical services and assets, mapping support from systems and external suppliers and identifying sources of risk.

• Strong commitment to training and awareness-raising in relation to resilience and cybersecurity. Comprehensive, audited programs that must cover all the groups in the organization.

• New relationship model with essential ICT suppliers. The subcontracting and dependency chains must be clearly identified, and the competent authority must be informed of changes in the established contracts. Organizations will be required to design and deploy exit and redundancy strategies for suppliers that support one or more of their essential functions. There will also be a set of requirements for approving these essential suppliers within the European Union framework, which will help improve the financial sector’s overall resilience from an ICT perspective.

• Structured, uniform models for operations management. Shared models will be established for classification, logging, impact calculation, and notification of incidents, with the obligation to report such events to the competent authorities and inform other organizations in the sector in the case of an extremely serious incident. New monitoring strategies may be necessary.

• Focus on crisis communication and management, establishing specific positions and roles for this purpose and strengthening automation mechanisms, including notifications to the institution’s own customers.

For GMV, three key levers are essential in successfully increasing DORA compliance. The first consists of adopting a comprehensive framework of processes covering ICT operations and security in a natural way, while allowing for the adoption of global GRC solutions for risk monitoring. The second seeks to focus on data, through the creation of a Resilient Data Lake that will make it possible to integrate information sources and apply AI for decision-making. Last but not least is the promotion of hyper-automation in all activities and systems related to the activation of the Response and Recovery Plans.

More than a mere regulatory compliance instrument, DORA may offer a significant opportunity to improve customer experience, helping to improve the quality, availability, and security of the services while increasing the end customer’s trust and engagement. The impact of DORA will also bring about a qualitative leap forward in terms of maturity in ICT services, introducing mechanisms for competitiveness and continuous improvement that will undoubtedly lead to the growth of all the players involved. GMV's approach in this field is clear: innovation, commitment, and strong expertise, backed up by an extensive track record in information technology and security.

** This article was first published in the online edition of Comunicaciones Hoy.

Ángel García-Madrid Velázquez
Head of GMV's Resilience Services
Business Continuity Manager