Two years since the European Commission first published its Digital Operational Resilience Act (DORA) in response to a spate of widespread system outages and cyber threats in the financial services sector, the final vote on it coming into full force is expected imminently.
Over the last two years the Act has gone through a series of revisions, and now in its almost final state, it’s expected to receive plenary approval from the European Parliament in the next few weeks. Upon the Act being approved, firms will have two years to comply with new regulations, however leading software provider ITRS Group (ITRS) is warning that firms should not delay when it comes to implementing plans to meet compliance objectives.
To prepare for DORA’s requirements, ITRS urges firms to identify any compliance gaps in their ICT systems, determine which of their third-party providers will be considered critical vendors and map their level of risk, implement a testing framework for digital resilience, determine whether their current recovery strategies align with new standards, and put plans in place to improve them where needed.
Commenting on the final approval of DORA, ITRS CEO Guy Warren said: “This is an important first step in the standardisation of operational resilience – across the EU but also the world, with other countries’ regulatory bodies likely to follow suit sooner than many firms might expect. International firms operating in the EU who can get their compliance in order now will be ahead of the game as other regions begin to implement similar standards.
“Obviously it’s important to recognise that it’s not an easy task to both ensure and report on the resilience of the incredibly complex IT estates of modern businesses – nor should it be. This is why a single, comprehensive and real-time monitoring system across the business IT estate is essential. Having a complete view over all critical business services, plus that of third parties, will allow IT managers and business service owners to identify and mitigate problems before they occur, and track and quickly resolve any issues that do slip through.”
To ensure firms feel prepared for the changes, ITRS has produced a whitepaper which outlines key requirements for businesses to be aware of, including stress testing for digital resilience, comprehensive ICT risk management planning, ICT incident reporting, and third-party service provider risk analysis and documentation. For more information, download the full whitepaper here.