Preparing for DORA: building operational resilience into your continuous compliance framework
By January 2025, financial service companies that operate in the EU will need to change how they approach IT risk. With technology constantly evolving, we must also evolve IT risk management.
New regulations are accelerating this vital adaptation, such as the recently enacted Digital Operational Resilience Act (DORA). It was published as a regulation on European Union financial services firms. While the EU has various regulations regarding security and privacy, such as the General Data Protection Regulation (GDPR), DORA is the first legislation that is based on IT operational risk.
The regulation was initially published in January of 2023, with an implementation deadline of January 2025. Firms that are non-compliant may face major risks, in addition to hefty fines for them and their third-party providers. As an example, one percent of average daily worldwide turnover may be imposed daily for up to 6 months as a fine.
One element that is too often overlooked when identifying IT risk factors: Operational Defects, also known as stability bugs or functional bugs.
These mistakes in software, which mainly stem from third-party vendors, are the third leading cause of costly IT downtime. The financial losses associated with these outages continue to grow. From a 2022 ITIC survey, 44% reported that one hour of downtime causes a loss ranging from $1 million to over $5 million.
DORA explicitly states that financial entities must address “any reasonably identifiable” IT risk, which includes these third-party operational defects. This whitepaper will cover solutions available to improve your operational resilience while reducing the risk of costly outages. From the knowledge gained and solutions offered in this whitepaper, any financial entity with operations in the EU will be in a better position to:
“We live in uncertain times. Banks and other companies which provide financial services in Europe already have plans in place for their IT security, but we need to go one step further. Thanks to the harmonised legal requirements which we adopted today, our financial sector will be better able to continue to function at all times.”
Minister of Finance of Czechia, on DORA legislation adoption, November 28th, 2022
The DORA regulation enforcement date will be here before you know it – take steps today to elevate your operational resilience to the next levelTalk to a Founder
DORA was enacted on January 16th, 2023.
Regulatory and technical standards are defined and issued by the European Supervisory Authorities (ESAs). They will provide financial firms with guidance on how to implement specific DORA requirements.
After a 2-year grace period, DORA will become enforceable. Financial entities must comply by January 17th, 2025.
From a Forbes survey of 261 IT leaders in large organizations around the world, 37% reported that the majority of their IT budgets go to ongoing maintenance and management. For such a huge budget and time commitment, operational defect risk is rarely fully controlled, until a million-dollar outage occurs.
Historically, the process for managing operational defects and related conflicts has been a disjointed, manual effort – which leaves room for human error. Part of DORA’s goal is to push financial firms to create processes around mitigating risk to help avoid human error. These new workflows will prevent unplanned downtime, help financial firms prepare for DORA, and mature their IT processes by proactively addressing risk.
How can firms make these workflows more efficient? Manually searching for operational defects in your Information and Communication Technology is now outdated. Your automated vulnerability management solution does not include this information, leaving you exposed to software defect risk. There is now a better way to manage operational defect risk: BugZero.
“Set-up and maintain resilient ICT systems and tools that minimize the impact of ICT risk.”
Introducing the Digital Operational Resilience Act
BugZero provides an automated process that’s comparable to how software vulnerability risk mitigation is handled. Our platform protects against operational defects from third party providers. BugZero is the first product to centralize and automate this operational defect risk mitigation, and also report on it.
When it comes to managing risk using the BugZero platform, we have aligned our recommendations with the ISO 31000 Risk Management process.
Below are the suggested roles to be involved and expected results for each stage of the operational defect management process. Learn more about how BugZero improves your IT Operational Risk Management Maturity on our Risk Management page.
Beyond supporting Operational Resilience for DORA, BugZero aligns with the NIST 800-53 Risk Management Framework at Level 3 - Providing Continuous Compliance for the Integrity and Availability of our customer's systems and applications.
BugZero can help your firm prepare for DORA faster, enabling you to build and maintain a dedicated ICT third-party software risk strategy by January 2025. Our platform is the only solution that can ensure the operational resilience of your third-party software. BugZero is the first solution that centralizes your operational defect risk management process while also automating it. Taking proactive action on these risks will reduce the number of incidents you would have to report the authorities in 2025 and beyond.
In short, BugZero brings software defect risk under control while enhancing your firm’s stability and predictability.