Understanding DORA: How to operationalize digital resilience

By Lorenzo Marchetti, Head of Global Public Affairs

In an interconnected world, digital resilience is crucial for navigating crises and safeguarding financial and security assets. The European Union (EU), comprising 27 countries and 450 million people, recognizes the significance of digital resilience and has introduced regulatory mandates to fortify and align the digital ecosystem. The latest addition to this landscape is the Digital Operational Resilience Act (DORA), alongside NIS2 and the Critical Entities Resilience Directive (CER), all effective since January 2023. This article explores the role of technology in responding to the DORA regulation and the opportunities it presents for organizations.

What is DORA?

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) solves an important problem in the EU financial regulation. Before DORA, financial institutions managed the main categories of operational risk mainly with the allocation of capital, but they did not manage all components of operational resilience.  With DORA, there is a significant change for the financial sector because organizations are now mandated to ensure the resilience, continuity, and availability of their information and communication technology (ICT) systems while upholding stringent data security standards. Aligned with existing regulations like NIS2 in the EU and the Bank of England Operational Resilience Regulation in the United Kingdom, DORA offers organizations the chance to leverage existing capabilities to meet the new requirements effectively. This regulatory framework lays the foundation for an efficient and agile risk management framework, compelling organizations to enhance their ICT risk management policies and procedures.

Compliance with DORA requires increased documentation to demonstrate adherence. Organizations must document their ICT and information assets, develop comprehensive encryption and cryptographic control policies, and establish protocols for network security management and data transfer protection. The Regulatory Technical Standards (RTS) further clarify DORA requirements. Organizations must conduct gap analyses to identify documentation gaps and validate processes and controls. Establishing governance processes to support these policies and ensuring long-term maintenance are crucial steps in achieving compliance.

The different components to Operationalize DORA: the role of Everbridge critical event management (CEM)

Although DORA offers a simplified ICT risk management framework for some organizations, governance, risk mitigation, ICT business continuity management, and reporting remain essential even within this simplified model. Implementing and maintaining this framework presents challenges, particularly for organizations with less formalized processes. It is crucial for organizations to assess their business strategies and identify applicable requirements for compliance.

Technology plays a pivotal role in enabling organizations to respond effectively to DORA compliance. Advanced software solutions, such as those offered by Everbridge, provide comprehensive support in meeting physical security, ICT security, and change management demands. They enable automation, streamline processes, and enhance visibility, empowering organizations to demonstrate compliance and strengthen digital resilience.

Operationalize DORA: Physical security

Physical security is crucial for overall digital resilience. Organizations must safeguard physical assets such as secure premises, data centers, and hardware equipment. Technology solutions can strengthen physical security measures by providing robust access control systems, surveillance systems, and incident management capabilities. These solutions enable organizations to monitor and manage physical access, detect and respond to security breaches in real-time, and ensure compliance with physical security policies.

Everbridge Smart Security allows organizations to centralize their physical security through Physical Security Information Management (PSIM) technologies, avoiding the costs of replacing physical devices. It facilitates the automation of standard operating procedures and response plans, as well as communicating with key stakeholders.

Operationalize DORA: Respond to business and people impacting events

Furthermore, as hybrid working trends continue, ensuring consistent protection for employees working from various locations becomes critical. Everbridge CEM for Business Operations and People Resilience provide organizations with the data repository and risk intelligence needed to identify potential risks and to communicate before, during, and after a crisis. These solutions will automate communications to impacted individuals, responders, and stakeholders, integrating with operationalized response plans.

Operationalize DORA: Digitizing operational resilience

ICT operations security includes capacity and performance management, data and systems security, vulnerability and patch management, and encryption and cryptographic controls. Technology solutions, like Everbridge CEM for Digital, address ICT operations security challenges. These solutions integrate with security monitoring and management systems, enabling organizations to identify vulnerabilities, monitor performance, and implement robust security controls. Automation and real-time alerts allow proactive detection and response to security incidents.

ICT change management involves managing changes to ICT systems, including project management, system development, acquisition and maintenance, and ICT change management requirements. Organizations must establish robust change management processes to minimize risks and ensure seamless operations.

Everbridge CEM for Digital offers an integrated approach to ICT risk management, facilitating collaboration, communication, and coordination among different teams. This technology solution integrates risk assessment, auto-remediation, incident management, and reporting capabilities, streamlining risk management processes and reducing the impact of events on the organization.

Complying with DORA presents many challenges. Technology solutions, like Everbridge CEM for Digital, streamline processes, automate tasks, and optimize resource utilization, offering cost-effective options for managing ICT risk and compliance requirements.

The way forward

Fostering a culture of resilience and risk management across the organization can be challenging. Technology solutions play a vital role in fostering this culture by providing intuitive interfaces, user-friendly workflows, and collaborative features. These solutions facilitate employee adoption and engagement, as well as centralized risk management processes.

While compliance with DORA may pose challenges, organizations can leverage the regulatory requirements as opportunities to drive innovation and gain a competitive edge. Advanced analytics, artificial intelligence, and machine learning capabilities allow organizations to gain actionable insights, proactively mitigate risks, and demonstrate commitment to digital resilience.

Everbridge empowers organizations to simplify compliance efforts and build operational resilience. Organizations can respond to business and people impacting events with Everbridge software solutions and drive better outcomes. Everbridge CEM operationalizes preparedness, automated communications, and reporting. By leveraging technology, organizations can embrace EU mandates on digital resilience, strengthen their ability to prevent crises, and better navigate the complexities of regulations effectively.

To learn more, join us for an insightful webinar hosted by Everbridge, as we delve into the challenges and strategies faced by financial institutions in implementing strategies and tactics to comply with the European Union (EU) Directive on Operational Resilience Act (DORA).  

Watch the on demand webinar, Unlocking DORA, from Policy to Operationalization.