Blog Article

Hands typing on laptop keyboard with security locks as a symbol of DORA compliance and IT security
Strategic Transformation: IT Security and Compliance Aligned with DORA

Instead of relying on standard software solutions, many companies choose to develop their own applications – as these are optimally tailored to their specific business requirements and often offer long-term cost advantages. This customer example highlights why in-house developments can also lead to problems – particularly in terms of compliance – and how the new EU regulation DORA (Digital Operational Resilience Act) relates to this.

Find out more

DORA: What is the Digital Operational Resilience Act?

What does DORA stand for? The Digital Operational Resilience Act, abbreviated DORA, is an EU regulation on digital operational resilience in the financial sector. It regulates the areas of cybersecurity, ICT risks and digital operational resilience and aims to strengthen the European financial market against cyber risks and incidents of information and communication technology (ICT).

The goal is to ensure resilient operations even in the event of a significant operational disruption that could threaten the security of network and information systems. The regulation came into effect on January 17, 2023, and will be enforced by regulatory authorities from January 17, 2025. In Germany, the Federal Financial Supervisory Authority (BaFin) will play a crucial role in the implementation of DORA.

Requirements for companies

DORA sets specific requirements for the network information systems of companies operating in the financial sector – including banks, insurance companies, investment firms and payment service providers.

Essentially, the digital operational resilience of the EU financial sector should be strengthened in the following areas:

ICT Risk Management shown as icon with shield and exclamation mark on it

ICT Risk Management

Companies must establish robust management of digital risks. This includes developing strategies and processes to identify, assess and manage cyber risks that could disrupt operations.

Reporting ICT Incidents shown as ringing bell icon

Reporting ICT Incidents

Incidents affecting a company’s digital systems must be reported within a defined timeframe. This aids in the rapid response to security incidents and helps collect data that can contribute to improving industry-wide resilience.

Digital Operational Resilience Testing shown as icon with verification checkbox

Digital Operational Resilience Testing

Companies are required to regularly test their digital resilience, including Threat-Led Penetration Testing (TLPT). This involves testing to assess the effectiveness of implemented security measures and to ensure they can withstand the latest threats.

Third-Party Risk Management shown as icon with verified person with check mark

Third-Party Risk Management

Since many financial services depend on external providers, careful risk management for these third parties is necessary. This involves reviewing and assessing the security measures of ICT third-party providers as well as regular audits.

Exchange of information shown as icon with two speech bubbles icon

Exchange of Information

To promote industry-wide resilience, companies are encouraged to share information about cyber threats and best practices in cybersecurity with other market participants and authorities.

What does DORA mean for ICT third-party service providers?

The EU-wide DORA regulation also addresses the risk associated with ICT third-party service providers. Since financial service providers often use IT systems provided by external technology providers, the regulation applies to a variety of third-party service providers. This includes software providers, cloud service providers, data analysis services and data centers.

ICT third-party service providers classified as “critical” are particularly closely monitored under DORA. These include all suppliers that would have significant systemic consequences for the financial company in the event of an operational disruption.

Hand typing on laptop with locks as symbols for IT infrastructure security and DORA compliance

Digital operational resilience: Take action to be DORA-compliant.

How DORA initiated the transition to Beta Systems

A leading, internationally active software provider with over 8,000 employees decided to proactively switch to Beta Systems to minimize compliance risks and potentially high costs for a possible re-examination by BaFin. After all, companies providing ICT services for the financial industry also fall under the scope of the DORA rules.

With the implementation of Beta LogZ and Beta View, the company achieved significant progress in managing and securing critical IT processes.

Initial situation and challenges

Previously, the company used a software solution developed by an external service provider to archive IBM IWS job logs. During an audit, the company was pointed out the inadequate documentation and security. Issues included:

  • No protection of log data against manipulation

  • Externally developed software without documentation

  • Lack of flexibility in further development due to resource scarcity

  • No guarantee of stability with new software releases from IBM

The used software solution thus posed a significant risk, especially in terms of future audits by auditors.

The decision of the company to use software solutions from Beta Systems was additionally influenced by the increasing pressure from DORA on ICT third-party service providers. The switch was therefore a crucial step to meet the high security and compliance standards of the DORA regulations and to minimize potential financial and regulatory risks.

What made the company choose Beta Systems?

The switch to Beta Systems occurred after a thorough review of available solutions on the market. With its specialized offering for the banking sector, tailored to the needs of the software provider, Beta Systems has convinced the customer. Beta LogZ and Beta View were quickly implemented and seamlessly integrated into the existing IT architecture.

Benefits of implementing Beta LogZ and Beta View: 

  • Standardized process for archiving job output with connection to the Jira ticketing system 

  • User-friendly and low-maintenance job output archive 

  • Ensuring the propriety and security of accounting-relevant data 

  • VTAM access and/or web interface for non-mainframe users 

  • Strategic and innovative further development of the archive by Beta Systems 

  • Support for the latest IBM z/OS releases 

  • Beta LogZ simplifies IT auditing and is already recognized by auditors 

  • High integration power into existing architectures 

  • Long-term investment security 

  • Easily accessible operational service via Kyndryl 

An additional advantage: The company’s development team was already familiar with Beta LogZ (formerly Beta 92), enabling a quick time-to-production.

Conclusion: Act now to be DORA-compliant

The implementation of advanced security technologies and the updating of existing systems are crucial to meet the compliance requirements of the DORA regulation. Companies should also invest in training their employees to raise awareness and understanding of cybersecurity risks.

Are you already prepared for DORA, or do you have concerns about the security of your IT systems? Our experts are happy to advise you and help you take the right steps to strengthen IT security in preparation for DORA.

Last updated on

Find out more

Tags

ComplianceDORA

Share

Further Resources

Blog Article
soap-blog.jpg

What Is SOAP?

Unlocking the Potential of Service Orchestration and Automation Platforms
Blog Article
automation.webp

Maximizing Efficiency with Event-Driven Automation

Automation is becoming increasingly indispensable in modern organizations, driving efficiencies across departments and fields from infrastructure to DevOps. However, while most companies recognize the potential benefits of automation, many still struggle to make the most of it. Fragmented processes, disconnected tools, and poorly defined objectives often prevent organizations from reaching full automation potential. Here, we’ll explore a strategic approach to building a mature automation framework that enables seamless, efficient, and scalable operations.
Blog Article
ai.jpg

Exploring the Future of AI: Multimodal Systems, Cross-Platform Integration, and What’s Next

In a recent presentation, I shared insights into the evolving landscape of artificial intelligence and how these advancements are shaping Beta Systems’ approach to innovation. I covered three main topics: the journey to multimodal AI, cross-platform integration, and a glimpse into future AI possibilities. Here’s an overview of these exciting developments and what lies ahead for AI.