The Digital Operational Resilience Act, or DORA, is a European Union (EU) regulation that created a binding, comprehensive information and communication technology (ICT) risk-management framework for the EU financial sector. DORA establishes technical standards that financial entities and their critical third-party technology service providers must implement in their ICT systems by January 17, 2025.
DORA applies to all financial institutions in the EU. That includes traditional financial entities (like banks, investment firms and credit institutions) and non-traditional entities (like crypto-asset service providers and crowdfunding platforms). Notably, DORA also applies to some entities typically excluded from financial regulations.
DORA and other regulations focus on operational resilience, which is the ability to provide reliable and secure services to customers to address regulatory compliance and cybersecurity challenges. They require financial institutions to define the business recovery process, service levels and recovery times that are acceptable for their business. Regulators also require organizations to test business recovery processes periodically and provide documented test results showing that SLAs have been met.
As part of the risk-assessment process, entities must conduct business impact analyses to assess how specific scenarios and severe disruptions might affect the business. Entities will also be expected to put appropriate cybersecurity protection measures in place. This is where new solutions with cyber resilience become part of the picture.
What is cyber resilience?
Cyber resilience is a component of operational resilience. It focuses on providing a proven strategy around data protection and business continuity in case of advanced ransomware or cyberattacks, including scenarios where data is encrypted by ransomware.
The need for a strong cyber-resilience strategy
According to the IBM Cost of Data Breach Report 2023, the global average cost of data breach was $4.45M. In the U.S., the average cost of a data breach was at its highest, reaching $9.48M. It also reported organizations taking an average of 277 days (about 9 months) to identify and contain a breach.
A strong cyber-resilience strategy that provides a unified approach—combining cybersecurity with data protection and disaster recovery methods—can help organizations protect against and rapidly recover from disruptive cyber incidents.
With attacks becoming more malicious and techniques more advanced, the strategies and plans to mitigate the impacts of such cyberattacks must also change. Traditional recovery plans like standard disaster recovery solutions are not adequate and must change to support these new scenarios, and it will require new thinking and teaming between disaster recovery and security teams.
Cyber resilience also tackles additional areas beyond the common resilience techniques of backup, high availability and disaster recovery. While these techniques are important and must be part of the overall resilience program, they will typically replicate a ransomware attack to multiple environments since they are focused on keeping the data replicated with the smallest RPO (recovery point objective).
A cyber-resilient solution must be considered as a separate leg of this stool, typically on a third environment, which can quickly take over while not replicating the ransomware. Cyber-resilient solutions can solve issues for compliance and close the security gaps by protecting against attacks with a host of tools.
Benefits of an isolated recovery environment
Coupled with disaster recovery, an isolated recovery environment in the cloud works in concert with standard disaster recovery in several ways:
- It helps customize and configure the recovery process according to the unique needs of your applications. You can implement complex recovery workflows that may not be feasible with a standard disaster-recovery solution.
- It offers more control and flexibility for comprehensive testing and validation. This enables you to verify the effectiveness of your recovery procedures.
- It enhances security based on your specific requirements and helps meet compliance requirements.
IBM cyber-resiliency best practices
IBM infrastructure solutions enable clients to develop and manage cyber resilience across a wide landscape, including a hybrid cloud environment, while supporting compliance with key requirements from regulations like DORA. With both on-premises infrastructure and cloud-based resources, IBM can seamlessly integrate with your existing setup. You can replicate and recover on-premises systems to a cloud-based recovery environment, providing a unified and consistent recovery solution. This integration ensures that your entire infrastructure is protected and recoverable.
IBM cyber-resiliency best practices include the following:
- Air-gapped protection as a fail-safe copy against propagated malware
- Immutable storage to prevent back-up corruption and deletion
- Clean rooms, data scanning and cleansing tools for test and validation
- Automation and orchestration technologies as a part of response and recovery
- Separation of duties
IBM Cloud provides the base infrastructure with the flexibility to provide trusted solutions that match compliance needs when faced with DORA requirements. Whether dedicated or used in a managed-as-a-service consumption model, IBM can easily provide the expertise for a fully compliant cyber-resilient solution independent of the production environment with IBM Cloud Cyber Recovery.
Organizations can achieve a highly customized, flexible and resilient recovery solution by combining standard disaster recovery, backup solutions and an isolated recovery environment in IBM Cloud. The isolated recovery environment offers additional options for recovery, customization, security, integration and compliance. This enhances the overall effectiveness and control of the resiliency strategy and, at the same time, provides compliance and support for regulations like DORA—all working in concert to keep your organization’s business in business.
Understand the Digital Operational Resilience Act (DORA).