Blog· 3min November 21, 2024
The European Union’s Digital Operational Resilience Act (DORA) represents a transformative regulatory shift aimed at fortifying the financial sector’s ability to withstand ICT-related disruptions. With its compliance deadline fast approaching on 17 January 2025, organisations face increasing pressure to align their systems, policies, and practices with DORA’s stringent requirements. Among the various strategies available to financial institutions, adopting a multicloud approach emerges as a compelling solution to meet the act’s mandates while simultaneously enhancing operational resilience.
In this article, we explore DORA’s foundational principles, the challenges it presents to financial entities, and how a multicloud strategy can help institutions overcome these hurdles while positioning themselves as leaders in operational resilience.
At its core, DORA seeks to harmonise ICT risk management practices across the EU’s financial sector, recognising that technological dependencies are both a strength and a vulnerability. As financial institutions increasingly rely on interconnected ICT infrastructures, any disruptions—whether due to cyberattacks, natural disasters, or system failures—can cascade through the sector, jeopardising stability.
To address this, DORA introduces a comprehensive framework focused on:
01
ICT risk management: Ensuring robust governance and proactive risk identification.
02
Incident reporting: Mandating systems to detect and report ICT disruptions promptly.
03
Resilience testing: Requiring periodic assessments, including penetration tests, for critical functions.
04
Third-party risk management: Overseeing critical ICT service providers, such as cloud providers.
05
Cyber threat intelligence sharing: Encouraging voluntary information exchange to strengthen collective resilience.
DORA was adopted in January 2023, with organisations required to achieve full compliance by January 2025. Its scope is extensive, encompassing banks, insurers, investment firms, and critical third-party ICT providers. However, the challenges of implementing DORA vary widely across organisations, influenced by their size, complexity, and existing ICT infrastructures.
While DORA sets a clear path for improving resilience, its prescriptive requirements pose several challenges:
01
Legacy Systems: Many institutions rely on outdated ICT architectures that may lack the flexibility to meet DORA’s standards.
02
ICT Concentration Risk: Heavy reliance on a single cloud or service provider creates vulnerabilities.
03
Resource Allocation: Smaller firms may struggle with the financial and operational demands of compliance.
04
Contractual Overhauls: Revising contracts with third-party ICT providers to meet DORA’s specific provisions is a time-intensive process.
A multicloud approach involves leveraging multiple cloud service providers to distribute workloads, reduce risk, and enhance operational flexibility. This strategy aligns with several of DORA’s critical requirements, offering both practical and strategic benefits for financial entities.
While the benefits of multicloud are evident, implementing this strategy requires careful planning and execution. Financial entities should consider the following steps:
01
Assess ICT Dependencies: Conduct a comprehensive review of existing ICT infrastructures to identify risks and gaps.
02
Design Resilient Architectures: Map critical workloads to cloud providers based on their strengths and capabilities.
03
Negotiate Third-Party Contracts: Align contracts with DORA’s requirements, ensuring clear definitions of roles, responsibilities, and compliance expectations.
04
Strengthen Cybersecurity Measures: Integrate diverse security tools from multiple providers, conducting regular threat penetration tests as mandated by DORA.
05
Monitor and Adapt: Continuously review multicloud performance, ensuring alignment with evolving business needs and regulatory changes.
·
Beyond compliance, multicloud offers a pathway to enhanced operational efficiency and strategic flexibility. By integrating multicloud into broader business strategies, financial entities can transform resilience from a regulatory necessity into a competitive differentiator. The ability to recover swiftly, maintain service delivery, and preemptively address risks strengthens customer trust and safeguards institutional reputation.
DORA presents both a challenge and an opportunity for the financial sector. While its mandates require significant effort, they also pave the way for a more resilient, secure, and harmonised operational landscape. A multicloud strategy emerges as a pragmatic and strategic response to DORA’s requirements, enabling financial entities to not only comply but thrive in an increasingly interconnected world. By embracing multicloud, organisations can turn compliance into a catalyst for innovation and long-term success.