Strategic Transformation: IT Security and Compliance Aligned with DORA
Instead of relying on standard software solutions, many companies choose to develop their own applications – as these are optimally tailored to their specific business requirements and often offer long-term cost advantages. This customer example highlights why in-house developments can also lead to problems – particularly in terms of compliance – and how the new EU regulation DORA (Digital Operational Resilience Act) relates to this.
DORA: What is the Digital Operational Resilience Act?
What does DORA stand for? The Digital Operational Resilience Act, abbreviated DORA, is an EU regulation on digital operational resilience in the financial sector. It regulates the areas of cybersecurity, ICT risks and digital operational resilience and aims to strengthen the European financial market against cyber risks and incidents of information and communication technology (ICT).
The goal is to ensure resilient operations even in the event of a significant operational disruption that could threaten the security of network and information systems. The regulation came into effect on January 17, 2023, and will be enforced by regulatory authorities from January 17, 2025. In Germany, the Federal Financial Supervisory Authority (BaFin) will play a crucial role in the implementation of DORA.
Requirements for companies
DORA sets specific requirements for the network information systems of companies operating in the financial sector – including banks, insurance companies, investment firms and payment service providers.
Essentially, the digital operational resilience of the EU financial sector should be strengthened in the following areas:
ICT Risk Management
Companies must establish robust management of digital risks. This includes developing strategies and processes to identify, assess and manage cyber risks that could disrupt operations.
Reporting ICT Incidents
Incidents affecting a company’s digital systems must be reported within a defined timeframe. This aids in the rapid response to security incidents and helps collect data that can contribute to improving industry-wide resilience.
Digital Operational Resilience Testing
Companies are required to regularly test their digital resilience, including Threat-Led Penetration Testing (TLPT). This involves testing to assess the effectiveness of implemented security measures and to ensure they can withstand the latest threats.
Third-Party Risk Management
Since many financial services depend on external providers, careful risk management for these third parties is necessary. This involves reviewing and assessing the security measures of ICT third-party providers as well as regular audits.
Exchange of Information
To promote industry-wide resilience, companies are encouraged to share information about cyber threats and best practices in cybersecurity with other market participants and authorities.
What does DORA mean for ICT third-party service providers?
The EU-wide DORA regulation also addresses the risk associated with ICT third-party service providers. Since financial service providers often use IT systems provided by external technology providers, the regulation applies to a variety of third-party service providers. This includes software providers, cloud service providers, data analysis services and data centers.
ICT third-party service providers classified as “critical” are particularly closely monitored under DORA. These include all suppliers that would have significant systemic consequences for the financial company in the event of an operational disruption.
How DORA initiated the transition to Beta Systems
A leading, internationally active software provider with over 8,000 employees decided to proactively switch to Beta Systems to minimize compliance risks and potentially high costs for a possible re-examination by BaFin. After all, companies providing ICT services for the financial industry also fall under the scope of the DORA rules.
With the implementation of Beta LogZ and Beta View, the company achieved significant progress in managing and securing critical IT processes.
Initial situation and challenges
Previously, the company used a software solution developed by an external service provider to archive IBM IWS job logs. During an audit, the company was pointed out the inadequate documentation and security. Issues included:
No protection of log data against manipulation
Externally developed software without documentation
Lack of flexibility in further development due to resource scarcity
No guarantee of stability with new software releases from IBM
The used software solution thus posed a significant risk, especially in terms of future audits by auditors.
The decision of the company to use software solutions from Beta Systems was additionally influenced by the increasing pressure from DORA on ICT third-party service providers. The switch was therefore a crucial step to meet the high security and compliance standards of the DORA regulations and to minimize potential financial and regulatory risks.
What made the company choose Beta Systems?
The switch to Beta Systems occurred after a thorough review of available solutions on the market. With its specialized offering for the banking sector, tailored to the needs of the software provider, Beta Systems has convinced the customer. Beta LogZ and Beta View were quickly implemented and seamlessly integrated into the existing IT architecture.
Benefits of implementing Beta LogZ and Beta View:
Standardized process for archiving job output with connection to the Jira ticketing system
User-friendly and low-maintenance job output archive
Ensuring the propriety and security of accounting-relevant data
VTAM access and/or web interface for non-mainframe users
Strategic and innovative further development of the archive by Beta Systems
Support for the latest IBM z/OS releases
Beta LogZ simplifies IT auditing and is already recognized by auditors
High integration power into existing architectures
Long-term investment security
Easily accessible operational service via Kyndryl
An additional advantage: The company’s development team was already familiar with Beta LogZ (formerly Beta 92), enabling a quick time-to-production.
Conclusion: Act now to be DORA-compliant
The implementation of advanced security technologies and the updating of existing systems are crucial to meet the compliance requirements of the DORA regulation. Companies should also invest in training their employees to raise awareness and understanding of cybersecurity risks.
Are you already prepared for DORA, or do you have concerns about the security of your IT systems? Our experts are happy to advise you and help you take the right steps to strengthen IT security in preparation for DORA.