Preparing for DORA: Is Your Enterprise Resilient?
Vertali’s Mark Wilson on DORA’s implications, the NIST Cybersecurity Framework and how to respond to cyber incidents
In 2023, a tropical cyclone called Dora crossed from the Atlantic and wreaked havoc in the Pacific Ocean region. In a rare move, the World Meteorological Association retired the name in 2024, which only happens “if a storm is so deadly or costly that the future use of its name would be inappropriate.” For those of us working in IT and in the financial sector, there’s another storm brewing, albeit of a different kind. Like its tempestuous namesake, DORA is set to have a significant impact—and not everyone is ready.
The Digital Operations Resilience Act (DORA) is a wide-ranging EU regulation that applies as of January 17, 2025, harmonizing rules relating to operational resilience for the financial sector. Applying to 20 different types of financial entity and third-party technology service providers, it seeks to strengthen the IT security of banks, insurers and investment firms.
DORA is about establishing a universal incident response, risk management and mitigation, and governance framework for the sector’s ICT. In addition to providing a guarantee of financial soundness, organizations will need to demonstrate their operations can be maintained during severe disruption caused by cybersecurity and other ICT issues. The Act applies enterprise-wide and affects all platforms, including the mainframe.
This is all about security improvement, backup, system availability and recoverability. In other words, it’s talking my language. Resilience has been a hot topic for a long time, of course: having the business (and cyber) resilience plans in place to continue functioning should the worst happen. The point is, are you resilient?
Prevention + Recovery = Resilience
If a hacker attacks, they might attack your infrastructure. That could mean targeting the system software, applications, application data or all of the above. As Forrest Gump said, “Life is like a box of chocolates—you never know what you’re going to get.” When it comes to recovery, and cyber resilience in general, the question to ask is, what problem or problems do we need to recover from? And the thing is, even the best “standard” backups may not be enough. You may have to recover data and software components independently; ransomware or malware attacks involve both. Accidental updates, meanwhile, probably require only programs or parameters. DRP recovery is likely a whole site. So, the ability to do a surgical or a wholesale recovery quickly and efficiently is what resiliency is about. It requires rigorous processes (and trusted technology) to achieve fast and complete recovery when time is of the essence. The good news is that you can implement plans and automated solutions to ensure granular restore processes that have a situational focus.
Let’s take a moment to consider some of the terminology. Resilience is your capacity to withstand or recover quickly. Backup refers to a copy of data made in case the original is lost or damaged. The problem is that many people confuse having a backup with having resiliency. They are not the same. Resiliency requires both prevention and recovery; backup is simply a recovery asset.
At this point, I tend to wheel out the NIST Cyber Security Framework (CSF). This describes cyber resiliency as the ability to “anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises.” Great definition. Instead of focusing your efforts on keeping criminals out of the network, assume they’ll eventually get in. You need to develop a strategy to reduce the impacts and accelerate recovery. The CSF specifies what to do, not how to do it. And this isn’t really about compliance—it’s about good security practice, full stop. At Vertali, we define resilience as the ability to continue carrying out your mission by anticipating and adapting to cyber threatsand other changes, and by withstanding, containing and rapidly recovering from cyber incidents. There are various ways to approach this.
Not All Backup Solutions Are Created Equal
All the main vendors have replication solutions, which help to protect against physical hardware issues. And there are immutable backups: data copies safe from any changes or deletions, retaining their original integrity and security, so you copy, capture, recover and carry out an incremental restore. But is this enough, and should it actually be our starting point? In the current climate, data resilience alone won’t cut it – DORA has a far wider brief, ensuring operational resilience. And we all know the implications to operations if we’re subject to a smaller scale—let alone all-out—cyberattack, what hackers call a fire sale in which “everything must go.” The results are lost revenue, lost customers, reputational damage and financial impacts, which may include penalties from regulators.
In most cases, warning signs are apparent long before an attack. Bad folks have probably been in the system for days or weeks. When it comes to protection (prevention), you need the ability to detect, alert and intercept wrongful activity before a full-blown attack—identifying unexpected access, malicious changes, rogue encryptions. From the outset, this calls for an integrated approach, from continuous monitoring onwards. You want clear answers, and not have work on suspicions or gut feelings. You need to be wary of too many false positives. And you need to minimize manual actions that can slow your response and create more points of failure. Consider what may take place before an attack, such as reconnaissance or alteration phases.
Getting Back on Air After an Attack
Okay, the worst has happened. It’s an outage and time is critical. The situation requires predefined actions to kick off fast, which means automated action. z/OS repairs are needed to recover compromised software/parameters. You need to look at which components, from when, and avoid regression. Situational analysis and forensics are important to know what was affected, when it was correct and who did it. And then a concurrent data restore: forward recovery from immutable data backups, which tend to be very recent.
Ransomware attack? You need integrity monitoring, the ability to detect and intercept with real-time alerts and rapid incident forensics. Blitz attack? You want the ability to intercept malicious activity with the proper thresholds set, to detect, intercept and suspend/resume. Rogue insider? You need to be able to detect unauthorized changes and identify user behavior changes, pinpointing suspicious activity and so on. Solutions are available.
Yes, there’s a lot to consider. From immutable backups and storage intelligence, through integrity monitoring, malware detection and whitelisting, to tracking behavioral changes and unusual network activity, enabling a trusted software restore and granular restore of data. No one vendor can do everything. A measured response to DORA—to provide the resilience your digital operations need—requires three things:
- A good understanding of the evolving threat landscape and the risks that you face.
- Developing effective cyber resilience and disaster recovery plans, perhaps in partnership with external experts.
- Exploring and integrating a raft of approaches and solutions to ensure you are compliant. It’s worth remembering the quote attributed to Benjamin Franklin: “An ounce of protection is worth a pound of cure.”
Whether you’re concerned about the impact of DORA on your organization or the havoc that a real-life cyberattack could cause if your resilience is lacking, is it time to batten down the hatches before the hurricane hits?