icon_CloudMgmt icon_DollarSign icon_Globe icon_ITAuto icon_ITOps icon_ITSMgmt icon_Mainframe icon_MyIT icon_Ribbon icon_Star icon_User icon_Users icon_VideoPlay icon_Workload icon_caution icon_close s-chevronLeft s-chevronRight s-chevronThinRight s-chevronThinRight s-chevronThinLeft s-chevronThinLeft s-trophy s-chevronDown

What is DORA? The Digital Operational Resilience Act Explained

DORA is a regulation that enhances the operational resilience of information and communication technology (ICT) and third-party providers in the EU financial sector.

The Digital Operational Resilience Act, also known as DORA, is a pivotal EU regulation designed to enhance the operational resilience of digital systems that support financial institutions operating in European markets, with a comprehensive focus on risk management, incident response, and governance.

DORA regulations fortify mainframe operations and ensure resilience to shield your organization from financial penalties and reputational risks.

“With new regulations like the Digital Operational Resilience Act (DORA) in Europe, resilience is now a legal mandate. The conclusion is clear: Operations teams must rise to the challenge of modern mainframe resilience.”

Jason Bloomberg, Intellyx – Founder & Principal Analyst

What you need to know about DORA

  • The Digital Operational Resilience Act timeline started with formal adoption by the Council of the European Union and the European Parliament in November 2022, and DORA regulations will go into effect on January 17, 2025.
  • Financial entities and third-party ICT service providers have until January 17, 2025, to comply with DORA before enforcement starts.
  • The DORA law addresses key components such as service visibility, risk mitigation, business continuity, incident management, and governance, guiding organizations in building resilient frameworks that withstand challenges and align with the dynamic landscape of digital operations.
Read the DORA Survival Guide eBook

The purpose of DORA

Why is DORA happening?

  • There is currently no framework for the management and mitigation of ICT risk that spans the entire European financial sector.
  • The DORA regulatory act aspires to establish a framework by comprehensively harmonizing risk management rules across the EU and ensuring that every financial institution is held to the same high standard.
  • DORA compliance aims to eliminate the complexities arising from gaps, overlaps, and conflicts between diverse regulations in different member states, streamlining compliance for financial entities while enhancing the resilience of the entire EU financial system.

What are the 5 pillars of DORA?

The 5 pillars of DORA are:

ICT Risk Management and Governance

ICT risk management and governance
This requirement involves strategizing, assessing, and implementing controls. Accountability spans all levels, with entities expected to prepare for disruptions. Plans include data recovery, communication strategies, and measures for various cyber risk scenarios.

Incident Reporting

Incident reporting
Entities must establish systems for monitoring, managing, and reporting ICT incidents. Depending on severity, reports to regulators and affected parties may be necessary, including initial, progress, and root cause analyses.

Digital Operational Resilience

Digital operational resilience testing
Entities must regularly test their ICT systems to assess protections and identify vulnerabilities. Results are reported to competent authorities, with basic tests annually and threat-led penetration testing (TLPT) every three years.

Third-Party Risk Management

Third-party risk management
Financial firms must actively manage ICT third-party risk, negotiating exit strategies, audits, and performance targets. Compliance is enforced by competent authorities, with proposals for standardized contractual clauses under exploration.

Information Sharing

Information sharing
Financial entities are urged by the DORA to develop incident learning processes, including participation in voluntary threat intelligence sharing. Shared information must comply with relevant guidelines, safeguarding personally identifiable information (PII) under the EU's General Data Protection Regulation (GDPR).

Focus areas of DORA for the mainframe

The Digital Operational Resilience Act’s core principles ensure that financial institutions understand their entire IT landscape, including their third-party service suppliers, and can identify potential vulnerabilities and risks and implement robust automated strategies to protect their systems, data, and customers from cyberthreats and other disruptions.

While the DORA regulatory focus is on ICT and third-party risk management, incident reporting, resilience testing, and information sharing, firms with mainframe systems should also consider the following:

  • Service awareness and availability

    Implement regular health checks, automated maintenance tasks, and predictive alarms based on workload patterns.

    • Enhance visibility through logging mechanisms aligned with DORA's transparency requirements that provide real-time insights into mainframe activities.
    • Ensure a proactive approach to potential issues and promote transparency and accountability in line with DORA regulations.
  • Risk management

    Conduct regular vulnerability assessments, security control enhancements, real-time monitoring, and penetration testing to identify and remediate vulnerabilities unique to the mainframe architecture.

    • Stay informed and updated about security patches and updates relevant to mainframe systems.
    • Evaluate and update security and enhance access controls, encryption mechanisms, and authentication processes to enable DORA compliance.
    • Detect and respond promptly to security threats and integrate threat intelligence feeds to stay informed about emerging mainframe-specific threats.
    • Address exposures and vulnerabilities in hardware, system, and security configurations by conducting regular reviews, updates, and security audits.

  • Business continuity management

    Develop robust recovery plans and automated backup solutions that include detailed procedures for various failure scenarios.

    • Ensure a plan’s testability by conducting simulation exercises and audits to ensure its effectiveness in real-world scenarios.
    • Incorporate failover mechanisms to secondary mainframe systems for continuous operations in the face of unexpected failures.
    • Automate backup solutions for mainframe data and ensure regular and consistent backups are key components, with an emphasis on testing and validating backup and recovery procedures.
    • Introduce immutable copies of critical data to enhance data resilience and establish safeguards against malicious activities and cyberthreats.
    • Address ransomware with preventive measures for detecting, isolating, and recovering from ransomware attacks.
    • Migrate mainframe backup data and tape data to cloud storage options for improved scalability, availability, and disaster recovery.
    • Leverage cloud capabilities to ensure the ability to recover mainframe data anywhere and enhance the recovery time objective (RTO) and recovery point objective (RPO).
  • Incident management

    Seamlessly integrate mainframe monitoring alerts into the overall enterprise service console to provide a unified view of incidents and effectively manage them across the organization.

    • Establish integration and cohesive coordination between the mainframe and the Security Operations Center (SOC), transmitting critical security events in real time for immediate analysis and response.
    • Develop automated response playbooks for common threat scenarios on the mainframe, incorporating actions such as isolating affected systems or blocking malicious activity.
    • Continuously refine and update automated response mechanisms based on evolving threats to ensure a dynamic and effective incident management approach aligned with DORA standards.
  • Governance and compliance

    Enforce compliance with vulnerability evaluations, compliance checks, and continuous adherence to regulatory standards to safeguard mainframe systems from potential fines and reputational risks.

    • Leverage vulnerability scanning tools specific to the mainframe environment that implement automated processes for identifying and prioritizing vulnerabilities.
    • Integrate vulnerability assessment results into governance and compliance reporting to streamline processes and ensure adherence to DORA requirements.
    • Establish automated compliance checks for mainframe policies, industry regulations, and certificates, with regular audits and validations of compliance requirements.
    • Remediate non-compliance issues quickly with automated, recurring, and scheduled reporting that provides timely updates.
    • Design governance processes that evolve continuously to align with DORA, ensuring a proactive and adaptive approach to mainframe governance.

Service Awareness Risk Management Business Continuity Incident Management Governance and Compliance

DORA operational resilience toolchain

DORA outlines five considerations for rapid response, recovery, and compliance that align with the aforementioned key aspects of DORA as they relate to the mainframe.

Identify

Identify
Understanding risk to systems, people, assets, data, and capabilities, including business context, policies, and vulnerabilities.

Protect

Protect
Ensure safeguards to limit or contain the impact of a potential cybersecurity event. Fortify defenses to ensure the integrity and security of critical data and systems.

Detect

Detect
Discover cybersecurity events and anomalies in real time and understand their potential impact. Identify and understand potential threats for swift mitigation.

Respond

Respond
Take action to limit the impact of cybersecurity events and anomalies. Well-defined response mechanisms and protocols in place.

Recover

Recover
Restore data, systems, and operations to normal conditions. Ensure systems can bounce back efficiently and effectively.

BMC solutions for DORA focus areas

BMC offers a range of solutions that address the full scope of the five focus areas outlined above, as well as specific sub-focus areas within each, as follows.

  • Service awareness and availability

    Proactive mainframe monitoring and automation

    BMC AMI Ops Monitoring

    Identify and control problems quickly with a single view and unite AIOps processes across the business with data sharing.

    BMC AMI Ops Automation

    Improve productivity, increase system availability, manage alarms and events generated by monitor components, and automate mainframe event data integration for your operations management systems.

    AI predictive mainframe monitoring

    BMC AMI Ops Insight

    Detect problems and generate notifications before they impact the business with an AI solution that conducts multivariate analysis for all KPIs simultaneously and is continuously learning.

  • Risk management

    Mainframe threat detection and automated response

    BMC AMI Command Center for Security and BMC AMI Datastream

    Reduce risk, strengthen your security posture, and stop threats before the threaten your environment with configurations and recommendations designed by mainframe hacking experts.

    BMC AMI Security Session Monitor

    Deter insider threats by capturing and analyzing start-to-finish user session activity that provides deep insight into user behaviors; identify and reduce cybersecurity threats with unique methodologies.

    BMC AMI Enterprise Connector for Illumio

    Identify and control network traffic by automatically converting Illumio micro segmentation rules into TCP/IP mainframe rules to increase productivity and security.

    Mainframe penetration testing and security assessment (baselining)

    BMC Mainframe Services: Penetration Testing

    Get regular and ongoing professional checkups that include security evaluations via a simulated “real-world” attack from an experienced BMC pentesting team.

    BMC Mainframe Services: Mainframe SWIFT Assessment Service

    Reduce the risk of internal and external attacks with a review by BMC specialists who can reveal weaknesses and vulnerabilities so you can plug gaps in your defenses and secure your mainframe.

  • Business continuity management

    Database recovery

    BMC AMI Recovery for Db2®

    Assure your required resources are available for recovery by estimating and simulating recovery scenarios and automating, accelerating, and streamlining backup and recovery jobs.

    BMC AMI LOBMaster for Db2®

    Check the data integrity of all unstructured or line of business (LOB) objects and data and fix any correctable errors.

    BMC AMI Backup and Recovery for IMS

    Estimate, simulate, and educate your team about recovery scenarios to ensure compliance and meet your recovery time objectives (RTOs) with point in time (PIT) recovery capabilities.

    Ransomware recovery

    BMC AMI Recovery for Db2®

    BMC AMI Cloud Vault

    BMC AMI Command Center for Security

    Leverage this integrated solution set to identify the time of an attack, identify the golden copy back up, and restore the database after the last clean backup to with minimal data loss. Recover anywhere even if the primary site was compromised.

    Cloud backup management

    BMC AMI Cloud Vault

    Use object storage data protection capabilities like immutable copies and back up a third, or “golden” copy to, and recover directly from, the cloud with no dependency on a compromised system.

    Simulate business capacity scenarios

    BMC Helix Continuous Optimization for Mainframes and BMC AMI Capacity Management

    Proactively diagnose and prevent capacity-driven performance problems, validate system investments, right-size your environment, and reduce costs with accurate, comprehensive performance monitoring.

    Database resilience

    BMC AMI Database Integrity for IMS™

    Protect the integrity of your IMS data by addressing the most common cause of IMS database problems, cross-referencing control block libraries, and auditing database definition (DBD) libraries.

    Transaction resilience and recovery

    BMC AMI Message Advisor for IMS™

    Automatically monitor and manage IMS message queues to reduce restart times, prevent IMS outages, and improve IMS availability.

  • Incident management

    Proactive mainframe monitoring and automated threat response

    BMC AMI Command Center Security

    Prevent and mitigate cyberattacks with AI-enabled, real-time behavioral analytics that identify known indicators of compromise (IOCs) and automated responses.

    Proactive mainframe monitoring and automation

    BMC AMI Ops Automation

    Automate event integration and send mainframe event data to BMC Helix Operations Management or other enterprise-wide operations management systems.

  • Governance and compliance

    Mainframe security policy compliance

    BMC AMI Security Policy Manager

    Harden the mainframe from attacks and quickly uncover and address security gaps before a compromise or exploit can occur with automatic configuration scanning, recommendations, and reporting.

    BMC AMI Command Center Security

    Recognize suspicious user behavior and identify possible cyberattacks and ransomware threats in real time with AI-enabled tools.

    Test Data Privacy

    BMC AMI DevX Data Studio

    BMC AMI DevX File-AID

    Simplify the complex task of preparing data for testing without writing programs or scripts and without leaving the streamlined interface. Ensure data integrity based on referential integrity or application relationships, and mask sensitive test data.

    Mainframe certificate management

    BMC AMI Enterprise Connector for Venafi

    Improve quality and reduce time and manual certificate management with an automated approach that can implement and deploy hundreds to thousands of certificates every month.

Service Awareness Risk Management Business Continuity Incident Management Governance and Compliance

We’ll help you run your business as you reinvent it

contact-sales

We know you have a lot to juggle, so we’ll get back to you as soon as possible. The more you can tell us about your unique business needs, the faster we can guide you to the right solution.

Whether you’re in the early stages of product research, evaluating competitive solutions, or just trying to scope your needs to begin a project, we’re ready to help you get the information you need.

BMC has helped many of the world’s largest businesses automate and optimize their IT environments. Let’s put that experience to work for your organization.