A Guide to the Digital Operational Resilience Act (DORA)

What is DORA?

DORA is an EU legislation aiming to improve the digital operational resilience in the financial sector. Today, companies are focused on managing third-party risks and failures at cloud infrastructure level. DORA is one of the key legislations in this domain because it frames the dependency of financial institutions on major cloud infrastructure providers.

DORA requires financial entities to adopt a holistic approach to digital operational resilience, including the management of information and communication technology (ICT) risks, and to undertake end-to-end digital testing.

The regulation also proposes the direct supervision of ICT third-party service providers by one of the European Supervisory Authorities (ESAs) to mitigate the risks stemming from financial entities' dependency on them.

Why was DORA created?

The financial sector is increasingly dependent on ICT companies to deliver technology services, opening them up to possible cyberattacks and security vulnerabilities. As regulators consider this high level of dependency a risk, the DORA regulation was created to act as a preventative framework. If a major cloud service provider were to suffer disruption, there could be global and widespread repercussions on the stability of financial markets.

DORA’s regulatory technical standards are a set of rules that provide financial guidelines on aspects such as risk management, reporting and third-party risk monitoring.

Who must comply with DORA?

Most organisations that provide financial services in the EU must comply with the DORA legislation. This includes:

• Banks,
• Credit unions,
• Investment firms,
• Insurance companies,
• ICT service providers,
• Other financial institutions.

The core components of DORA

ICT risk management

Risk management is the process of identifying potential vulnerabilities to ICT. As it’s extremely important for protecting systems from potential cyberthreats, DORA assigns management and board members the duty of establishing, executing and upholding a framework for ICT risk management.

ICT-related incident reporting

Financial services companies must implement systems to track, control, log, categorize, and report ICT-related incidents to assess attacks and their impact on customers and operations, and inform the authorities.

Digital operational resilience testing

Financial institutions are required to establish and execute a thorough digital operational resilience testing program on an annual basis. DORA specifies that financial institutions must involve ICT third-party providers in their digital operational resilience testing when appropriate.

ICT third-party risk

Financial institutions depend greatly on external ICT suppliers, many of whom may be located outside of the EU, such as various cloud service providers. As a result, financial organizations must integrate ICT third-party risk into their overall risk management strategy.

Information sharing

DORA promotes voluntary information-sharing about cyberthreat intelligence and information. The significance of leveraging the data-rich ecosystem to improve the financial sector's incident prevention and response capacities is recognized by DORA authorities.

How can Nutanix help organisations to comply with Dora

The Nutanix Cloud Platform (NCP) seamlessly runs workloads and manages data across public and private clouds, as well as edge environments. Our unified platform integrates infrastructure and management, delivering consistent operations and security for your data and applications wherever they reside.

Nutanix can provide financial institutions with the resources they might need to meet DORA's strict standards while promoting efficiency, low risk and operational resilience. NCP can support financial services companies in their efforts to comply with DORA in the following important ways:

Operational resilience

One of the primary objectives of DORA is to ensure that financial institutions possess the capability to maintain operational continuity during ICT disruptions. Nutanix offers integrated and orchestrated business continuity and disaster recovery capabilities, which optimizes the availability of critical applications in the event of a disruption and lower recovery time objectives (RTOs).

Additionally, Nutanix offers automated backup and replication features, which help to support data protection and recoverability on-premises, in the cloud and at the edge. This enables financial services companies to gain better alignment with DORA requirements for operational resilience.

ICT risk management

DORA requires financial institutions to continuously evaluate and mitigate ICT risks. Nutanix Cloud Platform offers a secure and consistent platform for managing ICT risks across various cloud environments.

Its integrated security features in NCP –, which include microsegmentation, data and traffic encryption, network segmentation and snapshot protection, and backup to immutable S3 – contribute to the protection of sensitive data and applications from potential cyberthreats.

Additionally, the Nutanix Security Dashboard provides a dynamic and customizable summary of the security posture across all environments. It allows you to view the most critical security parameters, such as cluster-based issue summary, STIG policy compliance, security hardening, and identified vulnerabilities.

The Nutanix Security Central solution is another risk management capability that unifies cloud security operations for workloads and data in any cloud. It is designed to detect and remediate threats and vulnerabilities while automating incident response with intelligent analysis and regulatory compliance.

And finally, the Nutanix Lifecycle Manager (LCM) solution facilitates automated patch management and security updates in financial institutions, which augments the identification of potential security vulnerabilities.

Incident reporting

DORA mandates that financial institutions establish clear and efficient mechanisms for reporting incidents in the case of ICT-related disruptions. Nutanix tracks all user activities in audit logs and provides syslog export to centralized log management for event correlation and forensics.

Third-party risk management

Reliance on technologies from third-party vendors is omnipresent in the financial services industry. The hybrid multicloud infrastructure of NCP helps financial institutions to retain authority over their data and applications, irrespective of their locations.

Digital operational resilience testing

NCP allows financial institutions to test and simulate their responses to ICT disruptions. As a DORA requirement, this benefit can contribute to helping your business  remain operational. With NCP business continuity and disaster recovery, testing, failover and failback are fully orchestrated to minimize human involvement.