Earlier this month, the EU’s supervisory authorities published new policy products adding further detail to the Digital Operational Resilience Act (DORA), which will come into effect on January 17th 2025.
The regulation places a range of new responsibilities on organisations in the financial sector. Many firms that make up the complex web of organisations the regulation applies to – from third-party IT service providers to crowdfunding service providers to central counterparties – still need to make changes to meet these responsibilities.
This needn’t lead to panic and rash decisions like shelling out on consultant fees to manage the required change to become DORA compliant. Instead, IT and security leads should look to what they can do themselves when armed with data-driven automation.
What are the DORA requirements?
DORA requires organisations in the financial sector to continuously monitor their IT environments to identify and address vulnerabilities, detect unusual or suspicious patterns in network traffic, and more. DORA also emphasises the need for stringent risk management through effective controls and, closely linked to this, maintaining an up-to-date inventory of all IT assets to classify risk.
It certainly sounds daunting but let’s break it down with data-driven automation. Using the A-Ops platform, IT security teams can build workflows to automate critical but repetitive security processes to meet the requirements.
It’s simple to start carrying out extensive attack surface detection, across specified organisational domains, feeding into a real-time dashboard with the information needed to satisfy regulators. We’ve previously covered how A-Ops can integrate with AWS’ OpenSearch software to automate traditional security data streaming and alerting at a fraction of the cost of traditional SIEM solutions. This helps to identify incidents quickly and establish the comprehensive view of security required by DORA.
A-Ops is also incredibly useful in developing an up-to-date inventory of assets. Its rich set of integrations allows IT security teams to pull data across the organisation, from all the required sources, so they’re equipped with all the information they need to establish the risk picture.
How to break down silos for a clear risk picture
A-Ops can be utilised to great effect in preparing for DORA, but the wide-reaching nature of the regulation requires engagement and alignment across entire organisations. Financial services firms can be particularly siloed in how they work, for example, which can prohibit data sharing to establish a clear risk picture.
A-Ops navigates this with simple automation workflows to gather the permission of individual teams to start feeding data into the central A-Ops ‘pane of glass’ without the need for lots of manual intervention. A-Ops also overcomes the privacy concerns related to sharing data because of its option to serve as an on-prem solution as software that stays in one IT environment. It’s flexible and adapts to customer requirements.
Getting ready for DORA may feel daunting but organisations should also consider it an opportunity. Once in place, data-driven automation has broader applications – driving improvements in identity access management and the management of data privacy.
For more information about how A-Ops can help you meet and measure DORA compliance, get in touch.