The Digital Operational Resilience Act (DORA) adopted by the EU addresses the digital and cybersecurity resilience of financial institutions. Although DORA helps banking and financial institutions prevent, respond to, and recover from critical cybersecurity incidents, DORA compliance could present many hurdles for financial institutions. Applying the DORA framework is especially challenging as organizations move more workloads to the cloud and manage sprawling hybrid and multi-cloud environments.
By proactively improving application security and reliability, organizations can reduce exposures and prevent the type of incidents that DORA is meant to address. An observability and security platform approach can help by automating checks for DORA compliance requirements and improving your overall application security and reliability.
Challenges with DORA compliance
DORA, while aiming to bolster cybersecurity and reliability in the financial sector, presents several challenges for organizations to navigate. Here are some of the key hurdles that institutions need to overcome:
- Complex digital ecosystems. Delivering financial services requires a complex landscape of applications, hybrid cloud infrastructure, and third-party vendors. This complexity can increase cybersecurity risk, introduce many points of failure, and increase the effort required for DORA governance and compliance.
- Third-party risk management. While DORA emphasizes managing risks associated with some third-party ICT service providers, financial institutions have limited control over security practices of these vendors. Effectively assessing and mitigating these external risks requires robust vendor due diligence and continuous monitoring of their cybersecurity posture. For example, look for vendors that use a secure development lifecycle process to develop software and have achieved certain security standards.
- Resource constraints. Implementing and maintaining DORA compliance can be resource-intensive, requiring skilled personnel, advanced technologies, and ongoing investment. This can divert attention and resources from delivering better customer experience and innovation.
- Integration with existing processes. DORA compliance needs to be seamlessly integrated with existing risk management, incident response, and business continuity processes within the organization. This can require process re-engineering to fill gaps and ensuring clear communication and collaboration across security, operations, and development teams.
Classifying requirements in the DORA framework
DORA defines a wide range of requirements for organizations to achieve compliance. To help determine how customers can comply with DORA requirements, DORA’s articles can be classified in the following three categories:
- Definition: Describes terms and the scope of the act.
- Governance: Addresses organizational policies and procedures related to information and communication technology (ICT) risks.
- Technical: Specifies technical requirements for ICT systems within an organization.
Achieving DORA compliance using an observability and security platform approach
Achieving DORA compliance can involve passing annual audits conducted by independent third parties. Automatically and continuously checking systems to see if they meet the latest security standards not only helps organizations pass annual compliance audits but also reduces the risks of cyber security incidents. Continuous checking helps you update your systems with the latest security standards to meet DORA requirements and reduce cyber risks.
A comprehensive observability approach combined with advanced AI and automation supports organizations toward DORA.
Using continuous Security Posture Management to keep systems compliant
Using the Dynatrace observability and security platform, Dynatrace Security Posture Management (SPM) can digitally and automatically verify the technical requirements specified in the DORA regulations. Specifically, Dynatrace SPM can verify the technical requirements of DORA Chapter II (ICT risk management) and Chapter III (ICT-related incident management, classification, and reporting) and the relevant Regulatory Technical Standards (RTSs) applicable.
While DORA provides high-level definitions, other regulatory frameworks (such as CIS or DISA-STIG) offer technical specifications used as a basis for technical best practices. By combining technical best practices with DORA technical specifications, Dynatrace creates technical checks to monitor your organization’s security posture.
By employing LLMs capable of handling large context windows, the Dynatrace Security Research team maps technical requirements from frameworks (such as CIS) to DORA paragraphs and establishes a knowledge base of technical best practices.
The Dynatrace process involves a unique collaboration between AI and human experts. After obtaining individual mappings between technical recommendations and DORA requirements, Dynatrace compliance experts perform a thorough review. This collaboration ensures accuracy, identifies redundancies, and verifies that technical articles align with relevant checks.
Effective ICT risk management
Dynatrace Runtime Vulnerability Analytics offers AI-powered risk assessment and intelligent automation for continuous real-time exposure management throughout your entire application stack. Dynatrace promptly alerts your security teams about identified exposures and leverages the Dynatrace platform’s topology map to visualize any affected dependencies. Moreover, the Davis AI engine assists in prioritizing what needs to be fixed first.
The Dynatrace platform also delivers runtime application protection for common attack types. Leveraging code-level insights and transaction analysis, teams can detect and thwart malicious activity. With the capability to identify and halt attacks in real time and without configuration requirements, Dynatrace aids in safeguarding your organization against zero-day vulnerabilities. Dynatrace Security Analytics can also improve the effectiveness and efficiency of threat hunts.
Faster mean time to respond (MTTR) for ICT incidents
Dynatrace automatically collects and analyzes large volumes of data to make sense of sprawling multi-cloud application environments. The Dynatrace causal AI engine, Davis, analyzes observability and security data in the context of topology information to group anomalies, pinpoint root causes, and automatically prioritize based on business impact. This single source of truth tears down information silos that traditionally separate teams that perform different functions on many application components. This eliminates the need for manual diagnostics for remediation, improving and reducing the likelihood of material downtime incidents.
Automated business impact analysis
Organizations can use the Dynatrace platform to analyze and automate business analysis, like the business impact analysis required for DORA incident reporting. With Dynatrace Digital Experience Monitoring, organizations can detect and diagnose disruptions to financial services caused by an outage, broken functionality, or performance issues.
Additionally, Dynatrace can capture business data from a variety of sources, like OneAgent, from real user monitoring sessions, log files, and external tools and data sources. Using this information all stored in the Grail data lakehouse, business impact due to an incident can be measured and compared with historical data.
Early warning indicators
Dynatrace provides metrics including service-level objectives (SLOs) and service-level indicators (SLIs) that allow teams to predict problems before they occur and especially before they impact customers. By holding DevOps teams accountable for SLOs, they can take proactive action to increase resilience and reliability and avoid actual downtime. This trains your teams to be proactive in maintaining software quality and saves you money by avoiding downtime.
Better understanding of third-party ICT risk
While DORA requires third-party ICT vendors to disclose critical vulnerabilities to financial services customers, the complexity of modern applications means that some may slip through unnoticed. Dynatrace can detect and prioritize exposures in any monitored application, including third-party software like COTS and open source. This eliminates the dependency on analyzing a Software Bill of Materials (SBOM) provided by the vendor or completely relying on the vendor’s internal security processes. Additionally, financial services customers can hold their vendors accountable to fix truly critical vulnerabilities in a timely manner.
Continuous digital operational resilience testing
Before any deployment or software release, Dynatrace can automate change impact analysis required for DORA’s digital operational resilience testing requirement with Site Reliability Guardian. For each service, a guardian can automatically validate service-level objectives, “golden signals,” or security vulnerabilities before and after any deployment or configuration changes. It detects regressions and deviations from previously observed behavior, including latency, traffic, error rates, saturation, security coverage, vulnerability risk levels, and memory consumption. Thus, Site Reliability Guardian supports DevOps and SREs in continuously testing application releases to improve release quality.
What’s next
Learn more about how Dynatrace assists with addressing DORA requirements and how Dynatrace complies with DORA in our DORA blog series, and contact your Dynatrace account representative to find the best solution for your organization.
Looking for answers?
Start a new discussion or ask for help in our Q&A forum.
Go to forum