Decoding What the EU’s DORA Regulation Means By “Operational Resilience”

As the world continues to rapidly digitize, many organizations face new operational challenges. These challenges have real-world consequences. Consider the 2023 FFA systems failure: an internal systems error that resulted in thousands of flight delays globally, which led to millions of dollars lost for both airlines and their countries.

Operational defects are at the heart of a surprising number of these disruptions, often causing delays or complete system shutdowns which lead to significant costs. These software defects are often overlooked as teams focus on security vulnerabilities. But not dealing with these bugs can be costly. Based on Gartner data, the annual cost of vendor operational defects to an average enterprise company is at least $6.5 million!

Not only are individual organizations taking preventive measures, but nations are also enacting regulations. For example, the EU’s newly proposed Digital Operations Resilience Act (DORA) aims to safeguard financial institutions from internal operational defects.

Important to observe for IT and GRC leaders is that this regulation goes beyond cybersecurity, requiring “operational resilience” in all areas of IT Risk, including third-party providers. For organizations to be compliant by January 2025, they need specialized tools that detect vendor software bugs. These defects are one of the biggest threats to resiliency. Yet many organizations are exposed in this area because they mistakenly believe that their security solutions are addressing this risk.

Below, we dive into this new regulation for EU financial entities and what must be done to comply.

While many financial institutions are cognizant of security vulnerabilities, they must also be informed about the risk of operational defects. The difference is that security vulnerabilities are weaknesses in systems that could be triggered by a threat, while operational defects are software bugs that affect the integrity or availability of IT systems.

The DORA EU legislation provides directives to protect financial institutions from both security vulnerabilities and operational defects. Some of the main directives of the legislation include:

What it means: Digital Operational Resilience means the resilience of financial institution’s IT capabilities, and associated third-party capabilities, required to ensure their financial services are impervious to disruption.

This regulation specifically pertains to financial institutions. The entities that the EU considers in scope is fairly broad – including “credit institutions, payment institutions, e-money institutions, investment firms, crypto asset service providers, central securities depositories, managers of alternative investment funds, UCITS management companies, administrators of critical benchmarks, crowdfunding service providers, and ICT third-party service providers.”

In other words, many companies that were not previously subject to these types of regulations are within the scope of DORA! 

What it means: Anything that may interfere with the stability or security of internal and third-party IT capabilities, upon which financial services are dependent.

What it means: DORA not only requires managing confidentiality risks in the form of cybersecurity, but also risks to the availability, authenticity, and integrity of both internal and third-party IT capabilities.

Operational resilience against IT vendor defects is a central focus of the DORA legislation. DORA provides clear rules on digital safety, dictating how financial firms must handle IT risks, report incidents, and test their IT systems. Recognizing the reliance firms have placed on third-party software, the EU DORA regulation aims to reduce risks stemming from this dependence.

With the enforcement date of January 2025, financial institutions operating in the EU must take the necessary measures to ensure their firm is compliant. Financial firms who operate in the EU can leverage BugZero to identify their third-party hardware and software  bugs, and automatically create tasks in their ITSM tool to address those risks.

BugZero follows a unique, yet intuitive approach to detecting Operational Defects. The image below depicts how BugZero identifies operational defects in vendor systems and notifies you of potential risks.

BugZero is currently the only solution in the operational defects space. DORA-compliant firms will benefit from the following features.

BugZero aggregates multi-vendor operational defect data, giving organizations comprehensive information on potential risks. This not only aids in meeting DORA’s mandate for ICT risk management, but empowers IT teams to proactively assess and understand risks throughout their entire IT infrastructure, aligning with DORA’s requirements for resilience testing.

By mapping every vendor operational defect to the affected system, BugZero streamlines reporting of ICT-related incidents, which is a key requirement of DORA.

Given that BugZero integrates third-party operational defect data, organizations can better manage ICT third-party risks. This aligns with DORA's directive to protect against reliance on third-party vendors. BugZero is the only commercially available platform that meets the DORA Regulatory Technical Standard to "identify and evaluate available software and hardware patches and updates using automated tools."

BugZero's focus on IT operational resilience eliminates the need for bug hunting in third-party vendor products. This aligns with DORA's objective of enhancing digital operational resilience among financial institutions. Additionally, it saves organizations time.   With DORA set to be mandatory in January 2025, European financial institutions must focus on how they will become operationally resilient. Guarding against operational defects, especially from third-party vendors, is crucial for organizations relying on digital platforms. Enabling DORA-Compliant Firms with the Best Operational Solutions

BugZero is a first-of-its-kind platform designed specifically for operational resilience. It protects against internal threats and equips organizations for future digital challenges.

Need to become DORA compliant? Contact BugZero to learn more about our solution!

Discover even more implications of DORA for your firm by diving into our whitepaper: "Building Operational Resilience into your Continuous Compliance Framework."