DORA is Live. Are Financial Services Companies Ready to Prove Their Resilience?

The Digital Operational Resilience Act (DORA) came into effect on January 17, with extensive guidelines and a detailed regulatory framework for how all financial services entities doing business in the European Union maintain data resilience against unplanned disruptions.

DORA also recognizes a reality broadly accepted by cybersecurity professionals that it is no longer a question of if a cyberattack occurs, but when. This crucial legislation brings a new level of rigor and accountability to the financial services industry that will continue to evolve to safeguard the stability of the EU and global financial ecosystem.

Many sectors of the financial services industry beyond traditional banks and credit institutions now fall under DORA, including payment providers, investment firms, trading venues, insurance providers, and third-party information and communication technology (ICT) service providers.

Those that are new to this level of regulation may struggle to comply, as indicated by European financial regulators’ DORA “Dry Run Exercise.”¹ They also likely will face additional scrutiny by interconnected customers, partners and other stakeholders as a new operational risk. Non-compliance no longer means just the potential for a very large fine but also reputational damage and liability for a company, its directors, and its partners.

While it remains to be seen how quickly financial regulators act, DORA represents a shift from guidelines for data readiness and cyber resilience to enforcement of it. Given the expansive nature of DORA, which significantly broadens the EU’s financial regulation of IT, regulators, lacking unlimited expertise and resources, may face challenges enforcing all aspects of DORA immediately. As a result, regulators are likely to adopt a targeted approach, focusing on the most critical and visible areas of noncompliance. 

What Financial Organizations Are Prioritizing

A top priority for DORA compliance is the submission of accurate and technically compliant registers of information. Financial regulators have emphasized that registers will be a primary focus of enforcement, and they expect organizations to submit them early in 2025. Submitting an accurate register that details the organization’s most significant IT providers may be more beneficial than submitting incomplete information about all of its IT providers.²

For data protection leaders and CIOs, DORA is a call to action to examine legacy systems and consider whether they are capable of withstanding today’s cyberthreats and can deliver the performance required for efficient, rapid service recovery. 

Beyond identifying and mapping key systems, applications and workloads with respective ICT providers, organizations should carefully consider the core capabilities that protect, defend, and recover these systems. Critical capabilities include:

• Data protection and cyber recovery
  Rapid recovery capabilities are essential under DORA to minimize the operational impact of an attack. The only way to achieve the most stringent, ultra-short RTO required for critical systems is to recover using storage-based immutable snapshots. These snapshots should be securely stored in an isolated (or virtually air-gapped) repository.
  
• Early-warning threat detection
  Identifying and remediating potential cyberthreats earlier is an important aspect of data protection and readiness. The capability to continuously scan data to detect anomalies and identify threats like ransomware and malware in real time and automate remediation is essential for faster containment of an attack. 
  
• Isolated recovery environments (IRE) or cleanrooms for resilience testing
  Establishing a completely self-contained IRE, where data can be restored for forensic and application analysis and validated as clean before returning to production, speeds recovery. IREs also allow organizations to continuously test and improve cyber recovery practices for organizational readiness.
  
• Scalability and performance

Businesses will continue to evolve their services, face new regulatory requirements, and deal with emerging cyberthreats. It’s important to consider a solution’s ability to scale as data requirements change across distributed, hybrid environments while maintaining high-performance speeds for data protection and recovery.

Compliance With Confidence

Organizations that delay establishing robust capabilities to meet DORA and other evolving resilience regulations – such as PSD2, NIS2, APRA CPS 230, and the European Cyber Resilience Act coming into effect in 2026 – may find themselves with mounting challenges to overcome. They also may find themselves at competitive disadvantage to firms that can demonstrate their ability to remain resilient in the face of disruptions in the global financial ecosystem.

Working with partners that understand the regulation’s resilience requirements and deploying robust solutions can help enable organizations to be compliant and better prepared to meet new regulatory challenges and defend their data environment against emerging threats.

Pure Storage and Commvault have come together to build a joint solution, modular in design, that helps financial institutions enhance their cyber resilience practices and address key pillars of DORA for incident response and resilience testing. The solution is built by integrating the leading cyber resilience capabilities of Commvault® Cloud with the highly secure, high-performance Pure Storage platform.  Learn more about the solution and our commitment to cyber resilience here.

Are You Cyber-ready?

Readiness reflects mature cyber resilience, where technology, people, and processes work seamlessly to enable continuous business in the face of any cyber challenge. Evaluate your organization’s cyber resilience with Commvault’s Cyber Maturity Assessment.  

---

¹ Key findings from the 2024 ESAs Dry Run exercise, European Banking Authority, Dec.17, 2024.

² Countdown to DORA – Four Takeaway Points from Regulators’ December Statements, Skadden, Arps, Slate, Meagher & Flom, LLP, Jan. 3, 2025