Navigating DORA: Operational resilience and testing insights from GFT
Introduction
In today’s rapidly evolving regulatory landscape, it’s crucial for businesses to stay ahead of legislative changes that could impact their operations. In this blog, we delve into GFT’s perspective on the Digital Operational Resilience Act (DORA) legislation, specifically focusing on operational resilience and testing.
Resilience and testing are core components that define the regulatory landscape. To aid operational resilience testing, GFT has partnered with a variety of service providers. This blog will focus on GFT’s partnership with Gremlin, a reliability management service provider, with upcoming blogs exploring how GFT’s partnerships can help meet regulatory requirements.
Operational resilience lies at the heart of DORA, encompassing a myriad of facets outlined in its articles and regulatory technical standards. These foundational elements establish the legislation’s breadth and depth within an organisation, shaping its operational framework and strategic direction.
Whilst this article provides a foundational understanding, it merely scratches the surface of DORA’s complexities. For businesses seeking a deeper comprehension and strategic guidance, we encourage further exploration of GFT’s comprehensive resources on the subject.
Stay informed, stay prepared and navigate the regulatory landscape with confidence.
Initial overview of the DORA legislation
In the financial services sector, the concept of digital operational resilience has been a focal point for years; gaining even more momentum in recent years, with the widespread adoption of cloud technologies. The continuous evolution of technical frameworks is imperative for financial institutions to ensure they remain current, secure and efficient in serving both their business-to-business (B2B) and business-to-consumer (B2C) clientele.
In light of numerous high-profile incidents involving system outages, data breaches and security lapses, the European Union has taken decisive action by introducing the DORA. This legislation, which softly came into effect on January 16, 2023, will be fully enforceable from January 17, 2025.
Key aspects of DORA
DORA encompasses multiple articles within its framework, each addressing crucial aspects of digital resilience. For detailed insights into these articles, please refer to the official documentation.
To facilitate compliance with DORA’s requirements, the European Union has issued Regulatory Technical Standards (RTS). These standards provide specific guidelines for various elements, including ICT risk management, incident reporting, digital operational resilience testing and oversight of third-party service providers.
The RTS aims to ensure that financial entities implement robust cybersecurity measures, efficient incident response protocols, rigorous testing procedures and effective monitoring of systems. Amongst this, the key areas covered by the RTS are:
- ICT risk management: Financial institutions are obligated to establish comprehensive risk management frameworks to identify, categorise and mitigate ICT risks. Regular risk assessments and audits are essential to maintain the efficacy of these frameworks.
- Incident reporting: DORA mandates the prompt reporting of significant cyber incidents to relevant authorities. This ensures timely action to mitigate systemic risks and enhances transparency in the regulatory landscape.
- Resilience testing: Regular testing, including penetration testing and scenario-based exercises, is required to evaluate cybersecurity defences and assess the resilience of financial entities in recovering from disruptions.
- Third-Party risk management: Recognising the critical role of third-party providers in delivering ICT services, DORA emphasises the need for robust third-party risk management. Financial entities must ensure that their service providers adhere to high standards of ICT risk management and operational resilience.
Address the DORA legislation now. Don’t delay!
The urgency surrounding compliance with DORA legislation demands immediate attention. With the legislation’s date of effect set for January 2025, the window for ensuring adherence is rapidly closing. At GFT, we can foresee significant hurdles in implementing this legislation, particularly concerning large enterprise businesses, due to the nature / complexities of systems, processes, and the sheer volume of work to be conducted in a small time frame. These hurdles are significantly increased as the implementations need to be conducted in production environments to ensure true robust systems and regulatory compliance.
These challenges manifest themselves in two primary areas: firstly, the swift assessment of current compliance status through ‘gap analysis’, and secondly, the implementation phase. Establishing appropriate policy procedures and testing frameworks poses a formidable task. Whilst compliance efforts may initially focus on non-production environments, the true test of operational resilience necessitates testing within production environments.
GFT and Gremlin advocate for operational resilience testing in production environments, as it provides a real-world assessment of systems that customers rely on. A facet of this testing is known as ‘fault injection/chaos engineering’. Despite the initial hesitation due to the unconventional nature of inducing ‘chaos’ in production systems, this approach ultimately demonstrates the robustness and resilience of systems in real time. Such testing validates essential operational requirements, including system availability, alerting metrics, error handling, response and recovery mechanisms, and system reliability.
For businesses unaccustomed to this level of resilience testing, GFT offers structured roadmaps tailored to progressively move testing into production environments. Beginning with non-critical services in lower environments and gradually scaling up in size and importance, GFT’s approach reflects a proactive commitment to meeting DORA testing requirements. By demonstrating the ability to test system reliability and provide quantitative reliability scores, we enable objective measurement of system performance.
DORA and resiliency
Let’s begin by laying the groundwork. Our initial step involves conducting a thorough analysis of current IT procedures, policies, testing protocols, resilience strategies and business continuity plans. This assessment provides a crucial baseline for identifying potential gaps between the existing state and the desired state of DORA compliance.
Given the primary focus of this blog on operational resilience and testing, our attention turns to evaluating the resilience / reliability of the systems and mapping this assessment to critical and important functions.
Critical and important functions serve as pivotal areas that warrant clear definition across all services. These functions are instrumental in ensuring the reliability and functionality of the operations. For clarity, critical functions are those whose disruption would significantly impact the financial performance, soundness or continuity of a business’s services. Meanwhile, important functions are those whose discontinued, defective or failed performance would materially impair a business’s compliance with regulatory obligations.
To facilitate the identification of these critical and important systems, we can refer to the table below (Table 1). This table outlines a structured approach for defining the criticality of the systems, accompanied by key metrics, that should be considered in this assessment.
Table 1 characterises the necessity for clearly defined Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO), derived from the highest-level business requirements. This, in turn, underscores the importance of having robust continuity plans for restoration and recovery, backup systems, as well as active strategies for containment and recovery. These components collectively contribute to meeting DORA’s requirements for operational resilience, business continuity planning and resiliency reporting.
Gremlin: Operational resilience and testing
Over the last few years, GFT and Gremlin have been working closely together to build and validate resilient systems and are working closely with large financial firms to implement effective DORA practices.
Gremlin’s platform helps organisations meet DORA requirements by automatically tracking, monitoring and testing ICT services and infrastructure for resiliency risks. Financial firms can strengthen the reliability posture of their ICT infrastructure by streamlining digital operational resilience testing, enhancing capacity and performance management, and automating business continuity planning and testing.
Drawing from the Regulatory Technical Standards (RTS) and DORA articles, the following table (Table 2) summarises specific DORA requirements and aligns them with the capabilities offered by Gremlin.
Moving forward
Achieving compliance with DORA is undeniably a significant endeavour for any business. It entails a lengthy process of instituting changes at the highest levels within organisations, emphasising the criticality of resilience in every aspect of system, service and architectural design to meet the stringent standards required for conducting business within the EU.
In forthcoming articles, GFT will delve deeper into the intricacies of architecture patterns and explore how Gremlin plays a pivotal role in facilitating operational resilience testing (chaos engineering and reliability management). Alongside this, GFT’s further blogs will discuss how an effective SRE & DevOps maturity will aid in building resilient / reliable systems, as well as building confidence when complying with DORA regulations. Overall, this will serve as a catalyst for conducting rigorous resilience engineering and testing, as well as bolstering reliability management efforts to support DORA compliance.
Stay informed, stay prepared and navigate the regulatory landscape with confidence.
