The European Commission has voted to adopt the Digital Operational Resilience Act (DORA), in response to a spate of widespread system outages and cyber threats in the financial services sector, the regulation will bring all EU states into line when it comes to operational resilience.
 
Over the last two years, the Act has gone through a series of revisions and has now received final approval, meaning firms now have 24 months to comply with the new rules. However leading software provider ITRS Group (ITRS) is warning that firms should not delay when it comes to implementing plans to meet compliance objectives.
 
To prepare for DORA’s requirements, ITRS urges firms to identify any compliance gaps in their ICT systems, determine which of their third-party providers will be considered critical vendors and map their level of risk, implement a testing framework for digital resilience, determine whether their current recovery strategies align with new standards, and put plans in place to improve them where needed.
 

Commenting on the adoption of DORA, ITRS CEO Guy Warren said: “This is an important step in the standardisation of operational resilience – across the EU but also the world, with other countries’ regulatory bodies likely to follow suit sooner than many firms might expect. International firms operating in the EU who can get their compliance in order now will be ahead of the game as other regions begin to implement similar standards.

“Obviously it’s important to recognise that it’s not an easy task to both ensure and report on the resilience of the incredibly complex IT estates of modern businesses – nor should it be. This is why a single, comprehensive and real-time monitoring system across the business IT estate is essential. Having a complete view over all critical business services, plus that of third parties will allow IT managers and business service owners to identify and mitigate problems before they occur, and track and quickly resolve any issues that do slip through.”
 

To ensure firms feel prepared for the changes, ITRS has produced a whitepaper which outlines key requirements for businesses to be aware of, including stress testing for digital resilience, comprehensive ICT risk management planning, ICT incident reporting, and third-party service provider risk analysis and documentation.