Data Governance

DORA Made Easy: Compliance for Finance and Insurance

Learn about the importance of DORA (Digital Operational Resilience Act) for banking, financial, and insurance companies and how to comply with it easily.

Subscribe

Data Management is about to set the compliance bar even higher. Global BFSI companies (banking, financial services and insurance) need to be compliant with a revolving door of regulations and policies. Starting from internal policies and moving into industry-mandated policies as well as country-specific policies and continental policies.

To make matters worse, each new regulation forces both existing and newly produced data to be compliant. It creates a massive headache and tech debt for data management teams, as they rush to find all this data and make it compliant.

This cyclical process will repeat on January 17, 2025, when DORA will start being applied. That means that BFSI corporations are already scrambling to prepare their databases for DORA compliance.

 

What is DORA?

The Digital Operational Resilience Act is a set of regulations that aims to enhance the tech resilience of the financial sector in the EU. This regulation permeates across the entire BFSI sector, sparing no one.

 

Who will DORA affect?

The entire banking and financial ecosystem will feel the effects of DORA. It will instill change in over 20 different types of financial entities and ICT third-party service providers, including:

 

  • Banks, insurance companies, investment firms

  • Credit institutions, payment institutions, and electronic money institutions

  • Service providers for crypto assets, data reporting, and crowdfunding

  • Central securities depositories, central counterparties, and trading venues

 

The Banking and Financial Services Industry is increasingly connected and even a tiny data breach can affect the entire global system, not unlike the systems shutdown that ground 8.5 million Windows devices to a halt. A couple of minutes of downtime can cost millions, not to mention the reputation of all affected businesses.

DORA's scope is not only to counteract these types of incidents in the financial sector but also to prevent them. It's meant to manage ICT risks in BFSI to ensure prevention, resistance, response, and recovery from any disruption.

With DORA, the EU aims to create a more secure financial system prepared for today's world of digitalization and interconnectedness.

 

What DORA Means for Banking, Financial Services, and Insurance

The regulation will address various financial activities and rules, which can be grouped into 5 categories.


ICT Risk Management Framework

 

Financial entities must establish robust data governance strategies and control measures to manage ICT risks effectively. Risk management strategies, policies, procedures, and tools are all included here.

 

Incident Reporting

 

Financial actors must define, classify, and report any ICT-related incidents based on specific criteria. These include impact, duration, and data loss. Enterprises must report major incidents to the relevant authorities.

 

Digital Operational Resilience Testing

 

Mandated regular testing, including threat-led penetration testing, to ensure ICT system resiliency. Certified professionals must perform and repeat these tests every three years.

 

Third-Party Risk Management

 

This category covers managing ICT third-party risks. It goes in-depth on oversight of critical ICT service providers and detailed contractual arrangements.

 

Information Sharing

 

Perhaps the most important one, this category aims to allow financial actors to collaborate and share insights on threats, exposed weaknesses, and incidents. Such a collaboration can only enhance the security of the BFSI tech ecosystem.

 

With these categories in mind, the affected corporations have too much on their plate. And that plate will keep getting fuller because of the numerous extra tasks, checks, and transformation programs that abound. Let's look at how the affected categories will challenge BFSI corporations.

 

Increased Workload

The regulations imposed by DORA will have a waterfall effect on specific roles and their workloads within the industry.

First in line are the compliance officers and risk management teams. Compliance frameworks, new regulatory requirements, and ICT risk assessment are only a few of the extra tasks about to spring up.

Second are the IT and cybersecurity teams. With them lies the all-important responsibility of implementing the technical requirements. They will install and maintain security measures for the ICT systems. They will also conduct regular resilience tests, and develop systems for detecting, reporting, and responding to incidents.

Thirdly, the Digital Operational Resilience Act will affect Data Management teams. Data inventorying and classifying will be crucial to enable proper prevention, identification, and mitigation, while another pile of regular cleaning and updating await. Consistent monitoring and reporting of any breaches and non-compliance will offer little sleep to these teams.

Last, but not least the regulations will affect Legal and Contract teams. Reviewing, updating, and negotiating contracts while ensuring legal compliance will add to their to-do lists.

 

Updating Databases

While this process is by no means a new one for data engineers, it will surely add to their responsibilities. Apart from the data inventorying and classification mentioned before, teams will also have to ensure:

  • Accurate, up-to-date, and reliable data

  • Data security via encryption, access controls, and monitoring systems

  • Data privacy in adhering with other regulations such as GDPR, CCPA, and HIPAA

  • Data management processes, documentation, and reporting

  • Resource allocation and investment in technologies

  • Proper data integration with third-party providers

 

BFSI enterprises will have to ensure that their data, no matter who handles it, will follow the provisions of the act. This includes third-party providers managing and preserving data in DORA-compliant locations, under EU regulator supervision. It also includes strict data dissemination rules for third-party providers.

 

Tech Vendor Management

The tech vendor landscape is diverse with hundreds if not thousands of tools available at a click of a button. The incoming compliance tidal wave of DORA will impose strict rules on tech vendors.

Some of these rules will affect them so much that it will require BFSI enterprises to pivot from them.

Companies should prepare for this to avoid scrambling at the last minute to find a new vendor. Such a scenario could prove catastrophic, delaying other processes that can snowball into more non-compliance, resulting in fines.

Another key aspect is diversifying tech vendors. Aligning with the EU's anticompetitive strategy, vital services provided by third parties must not be monopolized. The provided services must be transferable between providers while any SLA must be customized according to DORA's guidelines. This will ensure that even if a vendor fails for some reason, the entire ecosystem remains resilient.

DORA's regulations perfectly align with our philosophy of being technology agnostic.

This approach focuses on practices and implies an easy pivot from any technology if it doesn't suit your data and business needs.

 

The rise of automation in risk evaluation and data management

To properly address the workload, database, and vendor issues, BFSI enterprises need to automate these processes. As much as technology increases the threat levels that have led to DORA in the first place, so too does it offer the solution through automation.

Here's what BFSI enterprises can do to automate their processes.

  • Automating Risk Assessment: Using systems that will streamline risk management by offering continuous monitoring and automated incident detection.

  • Enhancing Data Management: Tools for data classification and cataloging make it easier to organize and handle sensitive information. Automated data quality management systems also ensure that data remains accurate and compliant.

  • Improving Incident Reporting: Automated reporting systems are essential for timely and accurate incident reporting. These tools generate and submit reports and logs based on predefined criteria.

  • Investing in Resilience Testing: Advanced resilience testing tools, such as threat-led penetration testing platforms, are crucial. Investing in simulation and training platforms helps prepare staff and systems for real-world scenarios.

  • Strengthening Cybersecurity Measures: Integrated security platforms offer a unified view of the organization’s security posture. This enhances the ability to detect and mitigate sophisticated cyber threats.

  • Managing Third-Party Risks: Tools for assessing and monitoring third-party risks, along with automated contract management systems, help ensure that external vendors comply with DORA’s requirements.

 

DORA's Implementation Timeline

16 January 2023

DORA comes into force

26 May – 23 June 2023

Public consultations held on calling for advice about criticality criteria and fees

19 June – 11 Sept 2023

Public consultations held on first batch of policy products and their resulting policy mandates

30 September 2023

Call for advice on criticality criteria and fees

8 Dec 2023 - 4 Mar 2024

Public consultations held on the second batch of policy products, joint feedback from ESA on these, as well as the results of these consultations

17 January 2024

First batch of policy products delivered

17 July 2024

Second batch of policy products delivered

17 January 2025

Application of DORA

2025 and future

Oversight on compliance with DORA

Source: EIOPA

How to be DORA Compliant in 3 months with Witboost

While the regulation itself does offer guidelines and has held consultations with business stakeholders, the required transformations are more complicated than they seem (and that's saying something).

As the regulation has permitted companies to prepare in two years, each company's timeline for compliance is variable.

This depends on multiple factors such as technologies used, data management practices, data production teams, data consumers' experience in accessing required data, and so on. Such a transformation program focused on compliance with DORA could take anywhere between 6 months and 3 years.

Here's how Witboost helps you quickly become DORA compliant with minimal to no overhaul of your data infrastructure while integrating with your own tech stack.

 

Standardization and Governance of Data Management Processes

Witboost enables the definition and enforcement of policies to ensure coherence between declarations and production implementations, including SLA and SLO checks.

It seamlessly integrates metadata, metrics, and policies from your data catalog, offering a unified experience across the data production process.

This ensures that BFSI corporations can safely test their ICT systems, controls, and processes and manage third-party risk.

What's more, standardizing and governing data management processes automatically with Witboost will ensure documented policies, procedures, and controls for ICT Change Management are respected. Take full control of every change and save valuable time by recording, testing, assessing, approving, implementing, and verifying. All this is within the same user interface.

 


DORA's regulations perfectly align with our philosophy of being technology agnostic.


 

Transforming Data Governance Guidelines into Data Guardrails

Witboost imposes enterprise-wide computational governance rules to act as guardrails to better control the lifecycle of data, wherever it resides.

Using computational policies that act at deploy time and runtime, it effectively uses a policy-as-code approach. These policies are non-bypassable so all produced data will be 100% DORA compliant.

This above data governance framework is called Governance Shift Left.

Any risk of data corruption, unauthorized access, and technical flaws is fully reduced if the right policies are put in place. These guardrails will prevent any breaches from happening and will double-check your data.

 

Adopting a Multi-Vendor Approach

Technology agnosticism is one of the core pillars of Witboost. And that remains true for any third-party vendor thanks to its interoperability via APIs and webhooks. This approach offers full flexibility, thus avoiding lock-in and helping comply with the DORA-mandated multi-vendor strategy.

 

Reduce Human Errors

Human errors increase proportionally to the number of tasks and working time. The guardrails put in place by Witboost come via templates that automate the data production process. They help avoid any manual errors while developing a data project. These guardrails help speed up processes and ensure data quality, so you don't have to manually check for errors.

 

Navigating DORA compliance can be complex, but with the right strategies and tools, BFSI companies can achieve it efficiently. Proactive planning, technology utilization, and collaboration are key. Tools like Witboost help streamline compliance, ensuring resilience and security in the digital financial landscape. Prepare now for success in the era of DORA.

 


Discover how the Data Experience Platform, Witboost, can safeguard your organization by becoming DORA-compliant and AFR-compliant (Any Future Regulation). Take a look at the platform below.

 

Alternatively, download a case study conducted by Forrester examining the economic impact of Witboost for an enterprise European financial institution.

 

Similar posts

Subscribe to our Newsletter

If you liked this post, make sure to subscribe to our newsletter. It will be sent straight to your inbox once every two months, packed with data management goodies, news, articles, events, and what we've been up to.