Speak to a rep about your business needs
See our product support options
General inquiries and locations
Contact UsDORA regulations fortify operations and ensure resilience to shield your organization from financial penalties and reputational risks.
“With new regulations like the Digital Operational Resilience Act (DORA) in Europe, resilience is now a legal mandate. The conclusion is clear: Operations teams must rise to the challenge of modern mainframe resilience.”
Jason Bloomberg, Intellyx – Founder & Principal AnalystProvided for informational purposes only. This information should not be considered legal advice, and may not reflect the latest in legal/regulatory/compliance/etc. Always consult with council or qualified legal professionals, and/or relevant authorities.
Why is DORA happening?
The 5 pillars of DORA are:
ICT risk management and governance
This requirement involves strategizing, assessing, and implementing controls. Accountability spans all levels, with entities expected to prepare for disruptions. Plans include data recovery, communication strategies, and measures for various cyber risk scenarios.
Incident reporting
Entities must establish systems for monitoring, managing, and reporting ICT incidents. Depending on severity, reports to regulators and affected parties may be necessary, including initial, progress, and root cause analyses.
Digital operational resilience testing
Entities must regularly test their ICT systems to assess protections and identify vulnerabilities. Results are reported to competent authorities, with basic tests annually and threat-led penetration testing (TLPT) every three years.
Third-party risk management
Financial firms must actively manage ICT third-party risk, negotiating exit strategies, audits, and performance targets. Compliance is enforced by competent authorities, with proposals for standardized contractual clauses under exploration.
Information sharing
Financial entities are urged by the DORA to develop incident learning processes, including participation in voluntary threat intelligence sharing. Shared information must comply with relevant guidelines, safeguarding personally identifiable information (PII) under the EU's General Data Protection Regulation (GDPR).
The Digital Operational Resilience Act’s core principles ensure that financial institutions understand their entire IT landscape, including their third-party service suppliers, and can identify potential vulnerabilities and risks and implement robust automated strategies to protect their systems, data, and customers from cyberthreats and other disruptions.
While the DORA regulatory focus is on ICT and third-party risk management, incident reporting, resilience testing, and information sharing, firms with mainframe systems should also consider the following:
Implement regular health checks, automated maintenance tasks, and predictive alarms based on workload patterns.
Conduct regular vulnerability assessments, security control enhancements, real-time monitoring, and penetration testing to identify and remediate vulnerabilities unique to the mainframe architecture.
Develop robust recovery plans and automated backup solutions that include detailed procedures for various failure scenarios.
Seamlessly integrate mainframe monitoring alerts into the overall enterprise service console to provide a unified view of incidents and effectively manage them across the organization.
Enforce compliance with vulnerability evaluations, compliance checks, and continuous adherence to regulatory standards to safeguard mainframe systems from potential fines and reputational risks.
Discover, map, and understand all critical business services and dependencies.
Develop risk assessment and control strategies, ensuring accountability and planning for disruptions.
Develop robust continuity and capacity management plans to maximize service resilience and enable rapid recovery from issues.
Establish a high capability for collaborating and detecting and responding to IT issues.
Enforce compliance with vulnerability evaluations and compliance checks and establish continuous adherence to regulatory standards to safeguard mainframe systems from potential fines and reputational risks.
DORA outlines five considerations for rapid response, recovery, and compliance that align with the aforementioned key aspects of DORA as they relate to the mainframe.
Identify
Understanding risk to systems, people, assets, data, and capabilities, including business context, policies, and vulnerabilities.
Protect
Ensure safeguards to limit or contain the impact of a potential cybersecurity event. Fortify defenses to ensure the integrity and security of critical data and systems.
Detect
Discover cybersecurity events and anomalies in real time and understand their potential impact. Identify and understand potential threats for swift mitigation.
Respond
Take action to limit the impact of cybersecurity events and anomalies. Well-defined response mechanisms and protocols in place.
Recover
Restore data, systems, and operations to normal conditions. Ensure systems can bounce back efficiently and effectively.
BMC offers a range of solutions that address the full scope of the five focus areas outlined above, as well as specific sub-focus areas within each, as follows.
Identify and control problems quickly with a single view and unite AIOps processes across the business with data sharing.
Improve productivity, increase system availability, manage alarms and events generated by monitor components, and automate mainframe event data integration for your operations management systems.
Detect problems and generate notifications before they impact the business with an AI solution that conducts multivariate analysis for all KPIs simultaneously and is continuously learning.
BMC AMI Command Center for Security and BMC AMI Datastream
Reduce risk, strengthen your security posture, and stop threats before the threaten your environment with configurations and recommendations designed by mainframe hacking experts.
BMC AMI Security Session Monitor
Deter insider threats by capturing and analyzing start-to-finish user session activity that provides deep insight into user behaviors; identify and reduce cybersecurity threats with unique methodologies.
BMC AMI Enterprise Connector for Illumio
Identify and control network traffic by automatically converting Illumio micro segmentation rules into TCP/IP mainframe rules to increase productivity and security.
BMC Mainframe Services: Penetration Testing
Get regular and ongoing professional checkups that include security evaluations via a simulated “real-world” attack from an experienced BMC pentesting team.
BMC Mainframe Services: Mainframe SWIFT Assessment Service
Reduce the risk of internal and external attacks with a review by BMC specialists who can reveal weaknesses and vulnerabilities so you can plug gaps in your defenses and secure your mainframe.
Assure your required resources are available for recovery by estimating and simulating recovery scenarios and automating, accelerating, and streamlining backup and recovery jobs.
Check the data integrity of all unstructured or line of business (LOB) objects and data and fix any correctable errors.
BMC AMI Backup and Recovery for IMS™
Estimate, simulate, and educate your team about recovery scenarios to ensure compliance and meet your recovery time objectives (RTOs) with point in time (PIT) recovery capabilities.
BMC AMI Command Center for Security
Leverage this integrated solution set to identify the time of an attack, identify the golden copy back up, and restore the database after the last clean backup to with minimal data loss. Recover anywhere even if the primary site was compromised.
Use object storage data protection capabilities like immutable copies and back up a third, or “golden” copy to, and recover directly from, the cloud with no dependency on a compromised system.
BMC Helix Continuous Optimization for Mainframes and BMC AMI Capacity Management
Proactively diagnose and prevent capacity-driven performance problems, validate system investments, right-size your environment, and reduce costs with accurate, comprehensive performance monitoring.
BMC AMI Database Integrity for IMS™
Protect the integrity of your IMS data by addressing the most common cause of IMS database problems, cross-referencing control block libraries, and auditing database definition (DBD) libraries.
BMC AMI Message Advisor for IMS™
Automatically monitor and manage IMS message queues to reduce restart times, prevent IMS outages, and improve IMS availability.
BMC AMI Command Center Security
Prevent and mitigate cyberattacks with AI-enabled, real-time behavioral analytics that identify known indicators of compromise (IOCs) and automated responses. Pinpoint the source and time of attacks, enabling identification of the golden copy from which to recover.
Automate event integration and send mainframe event data to BMC Helix Operations Management or other enterprise-wide operations management systems.
BMC AMI Security Policy Manager
Harden the mainframe from attacks and quickly uncover and address security gaps before a compromise or exploit can occur with automatic configuration scanning, recommendations, and reporting.
BMC AMI Command Center Security
Recognize suspicious user behavior and identify possible cyberattacks and ransomware threats in real time with AI-enabled tools.
Simplify the complex task of preparing data for testing without writing programs or scripts and without leaving the streamlined interface. Ensure data integrity based on referential integrity or application relationships, and mask sensitive test data.
BMC AMI Enterprise Connector for Venafi
Improve quality and reduce time and manual certificate management with an automated approach that can implement and deploy hundreds to thousands of certificates every month.
Better understand which of BMC’s service and operations management offerings can help meet your organization’s needs for each of DORA’s 5 focus areas:
Rapid discovery, relationship modelling, and visualization for accurate asset and relationship views from any point in any complex IT infrastructure.
BMC Helix Operations Management
Proactively detect, correlate, and analyze events and determine root causes.
BMC Helix Continuous Optimization
Optimize resources to ensure alignment with changes in business demand, reducing risk and waste, and preventing interruptions.
Provide accurate, up-to-date asset and relationship views from any point in any complex IT infrastructure.
Proactively comply with policies, prevent breaches and improve uptime through rapid automated security management.
BMC Helix for Security Incident Handling
Manage security issues with runbooks and collaboration, providing automated analytics and reporting.
BMC Helix Continuous Optimization
Optimize resources to ensure alignment with changes in business demand, reducing risk and waste, and preventing interruptions.
Automate the business continuity process for digital services, in full compliance with policies and service standards.
Rapid discovery, relationship modelling, and visualization for accurate asset and relationship views from any point in any complex IT infrastructure.
BMC Helix Operations Management with AIOps
Proactively detect, correlate, and analyze events, determine root causes, and recommend proactive actions. Automate incident creation.
Optimize management of IT issues with collaboration and workflow. AI-driven problem and major incident detection. Classification, assignment and task management.
BMC Helix Dashboards
Gain rapid and detailed insights from different business lines across the entire enterprise, with Grafana-powered dashboards and reports.
Proactively comply with policies, prevent breaches and improve uptime through rapid automated security management.
Automate the business continuity process for digital services, in full compliance with policies and service standards.
First, a quick DORA (Digital Operational Resilience Act) summary. DORA is a comprehensive European union (EU) regulation designed to:
The DORA regulatory legislation defines technical standards, capabilities, and outcomes to ensure all organizations under its jurisdiction follow a unified set of practices to maintain their security and continuous operations during incidents that threaten their ICT systems.
The DORA regulation applies to financial entities within the EU and the critical third-party ICT providers that serve them. These financial entities have undergone rapid digitalization. They are common targets for cyberattacks, and the fallout from suffering an incident impacts every other organization that depends on the financial entity’s core services.
Authorities within the EU drafted DORA to help financial organizations and their providers understand and manage risks, and ensure their services are operational at all times.
The following Digital Operational Resilience Act timeline summarizes the key moments in this legislation’s history.
DORA goes into effect on January 17, 2025. On that date, all entities and providers under its purview must be in full compliance with its requirements, or they will be at risk for fines and penalties.
CTPPS (Critical Third-Party Providers)
The DORA regulation sets requirements for both financial entities and the third-party ICT providers that serve them. However, DORA only applies to what it defines as “critical” providers, and the legislation often refers to them as critical third-party providers, or CTPPS.
The legislation is somewhat ambiguous about what is considered a “critical” provider, though it relates to how integrated and important a service is for a financial entity’s operations. These providers are directly impacted by DORA and its authorities.
NISD (Network and Information Security Directive)
The Network and Information Security Directive (NISD) is a broader directive to improve the security and resilience of organizations and infrastructure within the EU. NISD applies to operators of essential services and relevant digital service providers, and imposes similar requirements to DORA.
NISD goes live in October 2024, a few months before DORA. Together, the two regulations make it clear that cybersecurity and resilience are core concerns for the EU, and additional legislation for other industries is likely to follow.
DORA empowers multiple authorities to supervise its implementation, enforce its policies, and levy penalties for entities that fail to comply. These are often referred to as European Supervisory Authorities (ESAs), and they include:
An independent EU organization “whose purpose is to improve investor protection and promote stable, orderly financial markets.” (EU)
A part of the European system of financial supervision that provides “advice to the European Commission, the European Parliament and the Council of the European Union.” (EU)
An agency “tasked with implementing a standard set of rules to regulate and supervise banking across all EU countries.” (EU)
The ESAs are the organizations that drafted DORA’s regulatory technical standards (RTS) and implementing technical standards (ITS). They are also responsible for assessing and enforcing compliance with the legislation.
DORA authorities, including the ESAs, will evaluate compliance with the legislation’s requirements. They will perform direct oversight for both financial entities, and for third parties deemed critical ICT providers and under their jurisdiction.
These authorities will also collaborate with entities and providers, receive their reports of incidents and notifications of threats, and offer guidance and best practices for maintaining compliance.
Certain forms of oversight will be performed by entities and providers themselves. Entities are required to maintain oversight over their third-party ICT providers, and both groups are required to maintain awareness of their own risks.
Entities and providers will be required to prove compliance with DORA’s requirements, which include vulnerability scans and assessments, annual recovery testing, physically and logically segregated data vaults, and rapid event reporting.
ESAs will also be empowered to perform audits, request information and documentation, and levy penalties. These can include financial penalties, denying approval for providers to work with DORA EU financial entities, and forcing an organization to cease to operations.
Broadly speaking, the DORA regulation applies to financial entities operating within the EU and the third-party ICT providers that do business with them.
DORA classifies 21 categories of financial activities that fall under its scope, which means the legislation applies to a wide range of financial entities and service providers. These include:
DORA sets requirements for “critical” third-party ICT providers that do business with financial institutions within the EU, even if those providers are not headquartered in the EU. DORA includes third-party ICT providers that appear location-agnostic, including cloud service providers, data center providers, and data analytics providers.
These new technical requirements will be written into contracts between financial entities and third-party ICT providers. At the moment, these contract requirements will be defined by the entities themselves, but it is possible that DORA will include standardized contracts or terms that must be used by providers and entities.
This would place third-party ICT providers under greater oversight and scrutiny from both the financial entities they support and EU financial authorities. Third-party ICT providers may also need to have a legal subsidiary within the EU to offer their services to financial entities within the EU.
DORA regulations broadly define which third-party ICT providers are deemed “critical” as any provider that offers important functions to financial entities, and whose services may impact a financial entity’s business stability and continuity.
DORA regulation offers limited exemptions for smaller financial entities that employ less than 10 people and have annual turnover and/or balance sheet totals under two million Euros. It also does not apply to certain entities exempt from related legislation. For them, DORA requires a simplified version of its ICT risk management framework.
In terms of third-party ICT providers, DORA sets requirements for providers deemed “critical,” as outlined above. However this remains a broad term, and it is unclear whether DORA will effectively apply to all providers that service financial entities.
Overall, DORA requirements follow the principle of proportionality. They are designed for financial entities that align with a specific size, risk profile, nature, scope, and complexity of services, activities, and operations. Under DORA, financial entities that meet these criteria will need to meet all of the act’s requirements.
DORA outlines a range of specific fines and penalties for non-compliance. It also gives authorities the power to apply additional penalties at their discretion.
Under DORA, financial entities that violate the act can be fined a periodic penalty of up to one percent of their average daily global turnover for up to six months (or until they achieve compliance). They may also be fined up to two percent of the annual global turnover. Third-party ICT providers are subject to the same potential penalties and fines.
Individuals who violate DORA can be fined up to one million Euros.
Additional penalties will be determined by each EU member state, and by the “competent authorities” and ESAs within them. These authorities may audit or suspend an entity or provider’s operations, send cease-and-desist orders and termination notices, issue public notices, or levy administrative or criminal penalties.
While IT leaders will remain key players in ICT risk management, DORA expands the capability beyond the domain of IT leadership in two ways:
DORA regulatory legislation mandates that financial entities establish or adjust their internal governance framework to align with its requirements. Financial entities must also establish or realign their management body. Non-technical board members, executive leaders, and other senior business managers are now expected to play an active role in IT governance, and can be held accountable if their entity fails to comply with DORA.
Maintaining compliance with DORA’s risk management framework will require a cross-functional effort. The following RACI chart outlines the various themes that must be addressed, and the teams and roles responsible for them.
Theme | Responsible | Accountable | Consulted | Informed |
---|---|---|---|---|
Incident management | Head of Operations, Security Operations Center (SOC) | CIO, COO, CISO | COO, CISO | C-suite |
Business continuity management | Head of Business Continuity, Operational Resilience | CIO, COO, CISO | COO, CISO | C-suite |
Service awareness and visibility | Head of Distributed Infrastructure Services, Head of Mainframe Infrastructure Services | CIO, COO, CISO | CIO, COO, CISO | C-suite |
Risk management | Head of IT Risk, Mainframe Security, Outsourcing, Third Party Risk management (TPRM), Cyber Risk Management | CIO, COO, CISO, Head of Procurement | COO, CISO | C-suite |
Governance | Head of IT Compliance, Legal, Procurement | Head of IT Audit, Head of Compliance | COO, CISO | C-suite |
Under DORA, banking entities and other financial entities must periodically test their operational resiliency plans. This includes testing to ensure they are prepared for likely disruptions, identifying and resolving deficiencies within their response plans. It also includes testing resilience against higher-level risks—such as ransomware attacks—through threat-led penetration testing (TLTP).
In addition, DORA requires financial entities to expand their incident reporting capabilities and practices. DORA demands that entities:
Managing risk from third-party ICT providers is a core element of DORA. The legislation identifies significant risk from these providers and the supply chain as a whole. It defines requirements that third-party ICT providers must follow, as well as requirements for how financial entities must engage with their providers.
Both sets of requirements are detailed in greater length below.
The DORA act is an ICT risk management framework for financial entities. It seeks to expand ICT risk management beyond previous definitions, which primarily required entities to hold enough capital to mitigate their risks, and to unify these expanded risk management practices across all entities within the EU.
DORA also highlights “ICT risk management and governance” as one of its five pillars, and defines requirements that include, but are not limited to:
DORA also defines specific ICT risk management requirements related to third-party ICT providers, as well as new governance requirements. Both are detailed below.
Third-party ICT providers that service financial entities—and are defined as “critical”—will be subject to an oversight framework imposed by DORA authorities, and will fall under direct supervision by EU financial authorities.
DORA authorities will monitor these providers to determine the risk that they bring to their customers, and to ensure they are managing their ICT risk properly. To do so, DORA authorities may request information and documentation on a provider’s risk management practices, perform investigations and inspections, recommend actions, and levy fines and penalties.
However, the DORA framework and the DORA authorities that manage it are not the only bodies responsible for third-party compliance with DORA. The legislation requires that individual financial entities reshape their relationships with these providers, as well, and take some accountability for managing their own supply chain risks.
DORA regulatory legislation will become a standard element of all relationships between financial entities within the EU, and the third-party ICT providers that serve them.
The legislation seeks to increase the sector’s resilience against supply chain attacks and operational incidents, and to ensure financial entities can maintain continuity during these events. To do so, DORA places requirements on how entities understand and manage their third-party risks, and manage their relationships with providers.
Financial entities will be required to map their dependencies on third-party ICT providers, and to document the vulnerabilities that each provider creates. Further, entities will be required to take active measures to mitigate the risks they uncover. These measures include, but are not limited to:
Financial entities will take an active role ensuring their service providers meet DORA’s requirements. Entities will be expected to write DORA compliance into their contracts with providers. These clauses will ensure technical standards are met; exit strategies, audits, and resilience targets are defined; and risk is contractually managed.
DORA authorities will support financial entities in these contract requirements. Financial entities will not be able to work with providers that are subject to DORA and do not meet its requirements, and authorities will be able to suspend or terminate contracts with providers that do not meet requirements, or fall out of compliance.
In the future, DORA will likely include standardized contractual clauses and/or contract templates to streamline this process. Service providers will also likely make DORA compliance a standard feature of their service, like they have done with General Data Protection Regulation (GDPR) and other related regulations.
DORA compliance will become non-negotiable in every relationship between financial entities doing business within the EU and third-party ICT service providers.
However, the degree of compliance and the terms that must be met will be subject to the same principle of proportionality as other elements of DORA. Financial entities will be expected to ensure a higher degree of compliance from third-party ICT providers that are more critical to their operations, and set a lower level of compliance for providers that are less critical to their operations and carry lower risk.
By setting these requirements, DORA attempts to reduce the scale and impact of third-party provider risk within financial entities—and the sector as a whole—without becoming an unnecessarily high barrier to provider-entity relationships.
DORA is a complicated set of regulations with an extensive list of new requirements and technical standards to meet. Bringing it to life will be difficult for many financial entities and third-party ICT providers. The following checklist provides a simple way to get started building compliance as quickly as possible.
Assessing current ICT systems and identifying gaps
Some of DORA’s requirements are easy to assess against, others are not. For example, DORA specifically states that a financial entity’s backup data must be logically and physically segregated, and that it must be able to test its recovery plans once per year. These are concrete requirements that you either meet or need to develop.
Other DORA requirements are more ambiguous. For example, DORA states that cyberattacks need to be “promptly and quickly” resolved. While DORA states that critical functions must be recovered within two hours of the incident, there is no clear-cut timeline for when an incident must be resolved in full.
Creating a culture of cyber resilience in financial institutions
Every requirement in the DORA regulation focuses on building cyber resilience—the ability to withstand and recover from any disruptive incident. Resilience goes beyond simply developing business continuity plans and disaster recovery protocols, and creates additional systems to deal with complex, modern threats like ransomware attacks.
A culture of resilience focuses on five core competencies:
Essential collaboration between IT teams and regulatory bodies
In the past, financial entities and EU member states all followed their own protocols and standards. This created a patchwork of regulations and best practices that opened vulnerabilities and made compliance difficult to navigate. DORA seeks to standardize protocols to create a unified, secure EU financial sector.
This is a collaborative effort. The DORA law requests feedback from entities, voluntary sharing of threats, and open reporting of incidents. Maintaining open dialogue with DORA’s authorities not only makes the framework more effective, but it also keeps entities in the loop on ever-changing regulations so they can stay ahead of new requirements.
Meeting new technical standards
A financial entity’s ability to meet DORA’s technical standards largely depends on its tools and partnerships with compliant, experienced providers. The first step will be leveraging pre-existing structures, capabilities, and relationships that need to be tweaked or expanded to fill gaps in DORA’s requirements.
However, most entities will need to make additional investments. For example, while many financial entities already have a second backup data storage system in place, DORA states they must have immutable backups that are physically and logically segregated from all other sources, which typically requires investment in a third, cybervault technology.
DORA does not exist in a vacuum. It follows and closely mirrors other regulations that attempt to standardize and improve cybersecurity practices across the EU, and it will likely inform a large number of coming regulations in multiple industries.
Predicting the evolution and impact of DORA
DORA will improve cybersecurity and outline operational resilience regulations for financial entities as well as entities in many other industries. The reason for this is twofold. First, DORA sets higher standards for third-party ICT providers. Few of these providers only service the financial sector. Most of them serve organizations in every industry. By forcing third-party ICT providers to increase their security and resilience, DORA will reduce their risk for everyone who works with them—not just financial entities.
Second, DORA will likely inform broader regulations that apply to all industries, and are passed by countries outside of the EU. Financial services—and the EU—have long set the standard for cyber regulations. Just like GDPR’s requirements have become the global standard for data privacy, it is likely that the DORA requirements will be adopted by many other frameworks.
The act itself will continue to evolve, and financial entities and the providers that serve them should expect DORA updates that will further standardize practices and requirements for cybersecurity and digital resilience. The future is more regulations around these topics, not less, and IT leaders would do well to stay ahead of the curve.
The role of enterprise IT leaders in fostering a culture of resilience
DORA may be a cross-functional framework that makes cyber resilience a board-level concern, but it still lives primarily within the IT domain. IT leaders in operations, security, and risk will have the primary responsibility for meeting its requirements, as they “own” the digital systems that DORA is concerned with protecting.
This responsibility will only increase as more and more financial systems become digitized and dependent on ICT systems, whether internal or from third-party providers. DORA makes it clear that IT leaders are the present and the future of maintaining resilient operations within financial entities.
The sooner you start, the better.
The DORA law goes into effect on January 17, 2025, and many of its requirements will take time to put into place. Focus on the biggest gaps within your compliance that will require the most investment and effort to implement.
For most financial entities, that will be:
BMC provides solutions and ICT services to rapidly bring these capabilities to life, in addition to a full portfolio of tools to cover every other element of operational resilience.
To learn more and request assistance in understanding DORA and achieving compliance by January 2025, reach out today for a consultation.
We know you have a lot to juggle, so we’ll get back to you as soon as possible. The more you can tell us about your unique business needs, the faster we can guide you to the right solution.
Whether you’re in the early stages of product research, evaluating competitive solutions, or just trying to scope your needs to begin a project, we’re ready to help you get the information you need.
BMC has helped many of the world’s largest businesses automate and optimize their IT environments. Let’s put that experience to work for your organization.