Rocket Software comments on DORA

One year after the anniversary of the EU’s Digital Operational Resilience Act (DORA) came into effect, we ask Cynthia Overby, Director Strategic Security Solutions, zCOE at Rocket Software, how DORA alongside the UK’s Operational Resilience Rules and its statutory framework for Critical Third Parties (CTP) can determine how financial institutions need to operate in the region.

“The intent of DORA is a unified framework for managing third party risks in the financial sector, ensuring institutions like banks and insurers can withstand, respond to, and recover from cyberattacks and IT failures.  By now, DORA compliance should be well on its way to being fully embedded into corporate policies and resilience programmes of all financial institutions within the EU as well as those who do regular business with the region.”

“The implications of DORA extend beyond just how financial institutions function.  While the bulk of the responsibility lies with them, the framework’s goal is a fully protected supply chain, so specific and direct responsibilities are also imposed on critical third-party information and communication technology (ICT) service providers.  These include implementing risk management frameworks, incident reporting, ensuring business continuity through rigorous disaster recovery plans, and adherence to standards outlined in DORA’s technical standards section.  This shared accountability means that every actor within the chain needs to be fully aware of what applies to them and how to be compliant, which starts with a thorough review of their own contracts.”
 
“To use an analogy, compliance is a bit like speeding.  A motorist may exceed the speed limit and be OK until they are pulled over – and if nothing happens, then nobody knows.  But if there is an incident and they are outside of compliance, that’s when fines, reputational issues and the financial costs of remediation all come into play.”