bugzero background
What's Different with the DORA Regulation?

What's Different with the DORA Regulation?

Miles Lancaster

Miles Lancaster

Architecture, Compliance, and Security

The Digital Operational Resilience Act regulation marks a significant shift in the landscape of IT operational risk. This new EU legislation is focused on IT Operational Resilience. It brings into scope Critical Third Party Providers and requires public reporting of all incidents, in addition to fines. The DORA regulation enforces this via policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity, and confidentiality.  

DORA is not like past cybersecurity regulations. However, it does have an analogue in the UK Resilience Framework which was enacted in 2021. The UK Operational Resilience Framework is very similar to DORA, but one year ahead, going into force in 2024. What are the high-level differences that affect a business’ preparations for January 2025, when the regulation goes into effect? 

This article provides an overview of the high-level changes coming with DORA, their implications, and a solution to help you become DORA compliant. 

Difference #1: Operational Resilience is the Focus 

The DORA regulation introduces a novel perspective on IT risk management. It specifically emphasizes operational resilience, a concept that incorporates the management of IT software operational defects. This component has been overlooked in previous regulations. 

Operational defects can significantly impact IT risk. They are errors or flaws in software that cause it to produce unexpected results or behave erratically with other systems. These defects can result in system downtime, loss of customer trust, financial losses, and other less tangible impacts.  

“The European Commission flagged in its [DORA] proposal the continued challenges posed by ICT risks to the operational resilience, performance and stability of the EU financial system, noting that post-crisis reforms had not fully addressed digital operational resilience.”   

Source: Operational Resilience in the UK, EU and US: A Comparison  

 The larger the financial entity, the more significant these impacts can be. A single hour of downtime, often the result of operational defects, can cost millions of dollars.  

As an example, there was a massive global outage in 2021 that left Facebook, Instagram and WhatsApp offline for at least five hours. Facebook later claimed that it was due to a bug in their auditing tool that didn’t properly stop an errant command. 

To prevent these outages, firms are now required to implement strategies for identifying and mitigating the risks by January 2025. This might involve rigorous testing, continuous change management, incident reporting, and automated software solutions.  

DORA's focus on operational resilience underscores the importance of preventing, adapting, responding to, and learning from operational disruptions to grow. This is a marked paradigm shift in the realm of IT risk management

Difference #2: Critical Third Party Providers Are Now in Scope 

One of the major differentiators of DORA is that it extends to include vendors and third-party providers. In-scope third party providers include: cloud services, software, data analytics, and datacenter among others. 

DORA has broadened the traditional focus of IT risk regulations beyond cybersecurity and Common Vulnerabilities and Exposures (CVEs). It shines the regulatory spotlight on operational defects, also known as software bugs, stability bugs, or functional bugs.  

These operational defects, often introduced by third-party vendors, can cause significant disruptions in the IT operations of financial firms. These disruptions lead to costly downtime.  

Unlike previous regulations that overlooked this crucial aspect of an IT ecosystem, DORA recognizes that vendors and service providers play a central role in IT operations. Their software can introduce risks into an organization’s IT stack, hence the need for their inclusion in DORA.  

Traditionally, IT regulations were more reactive. They primarily focused on identifying and addressing CVEs listed in the National Vulnerability Database. However, DORA is more proactive and capabilities-led. It encourages organizations to create a digital resilience strategy that continuously monitors risks introduced by third-party vendors. 

This shift in focus necessitates a new approach to IT risk management for financial entities, and could soon affect businesses in the U.S. For now, these EU financial entities must consider not just the risks posed by security vulnerabilities, but also the risks from third-party vendors and operational defects.  

Difference #3: Incidents are Reported Publicly 

Non-compliance with the DORA regulation carries substantial consequences for financial firms operating in the EU. One of the most immediate risks is the imposition of hefty fines, along with the reputational impact of publicly report incidents.  

For instance, firms may face daily fines up to 1% of their average daily worldwide turnover for up to six months. This substantial financial penalty underscores the seriousness with which the EU regards IT operational resilience. 

Beyond monetary penalties, non-compliance also exposes firms to the wrong kind of publicity. All incidents are to be publicly reported by the governing body. Given DORA's scope to include third-party service providers, firms that fail to adequately manage these risks could face operational disruptions, loss of business, and reputational damage. 

Adapting to DORA's requirements will necessitate a change in firms' IT risk management practices. While these changes may require an upfront investment in resources, they are crucial for ensuring operational resilience.  

With the DORA regulation setting a new benchmark in IT risk management, it's worth noting that its principles could influence similar legislation in other countries. Early action to address DORA regulation might be a prudent strategy for internationally operating businesses. 

Add Proactive Defect Management to Your DORA Strategy 

As we've seen, the Digital Operational Resilience Act (DORA) has introduced new changes to IT risk management for EU financial entities. Its unique focus on operational resilience, third-party providers, and its publicly announced penalties for non-compliance all underscore a significant shift.  

Financial entities must now consider a wider array of IT risk including operational defects and third-party risks, and implement workflows to mitigate them. 

The importance of addressing these operational defects cannot be overstated. The benefits of becoming DORA compliant are twofold; not only does it ensure regulatory compliance and avoidance of public shaming, but it also reduces the chance of costly disruptions.   

It's time for financial entities to take an even harder look at their IT risk management practices in light of DORA. By addressing the changes introduced by the DORA regulation, firms can:  

  • Strengthen their operational resilience 

  • Mitigate a broader range of IT risks 

  • Experience fewer IT disruptions 

If your business wants an automated solution to help you meet the DORA regulation requirements faster, then consider BugZero. Our platform helps your business lower IT risk and automate managing operational defects.   

Learn more about how BugZero can help your team today!

Share:

Do you know how much operational outages are costing you?

Understand the cost to your business and how BugZero can help you reduce those costs.

Sign up for our monthly Zero Defect Digest