The Digital Operational Resilience Act (DORA) will be applicable for financial institution starting 2025. There are less than half a year to make sure you establish you organisation, processes, tools and data, that comply with the requirements for “strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption”, as stated by European Insurance and Occupational Pensions Authority.

The risks within the Information and communications technology (ICT) can lead to disruptions of financial services offered across borders. Disruptions such as CrowdStrike, that caused global impact across all industries, can have a significant impact on business and operations. Other examples of risks are DDoS attacks, Malware attacks including ransomware, Hardware or software vulnerabilities, Third-party or supply chain attacks, Data manipulation attacks, Cloud service outages, Human errors or insider threats.

Becoming compliant to the DORA requirements makes your organisation resilient and more trustful in such situations. How to become compliant within few month if you not started this journey yet?

Note: In the following article, I will outline the technical part of the DORA implementation, ignoring the important parts like actual DORA consultancy, vendor risk management, governance and organisational change. You cannot actually consider one without other, but it will blow up the article.

Define a vision of the DORA program

The programs driven by regulations are not really exciting as you normally start late and will need to achieve fast results while other business critical initiatives are still running. People do not really understand why they need to switch the focus. And it is a role of upper management to explain the need and get everyone in the same board.

A vision and a hero statement can help achieving that. Because the journey towards DORA readiness is not just about compliance. It helps you establishing excellence in digital operations. The main goal of DORA is to creating a secure, resilient, and trustworthy environment and increase the confidence of the stakeholders.

The vision can be something like

Empowering Resilience and Trust through Digital Operational Excellence.

Supported by a hero statement that outlines the importance and the expected outcomes;

Our mission is to establish a robust and resilient digital ecosystem that not only meets but exceeds the standards set by the Digital Operational Resilience Act (DORA). We envision a future where our organisation stands as a beacon of digital reliability and trust, ensuring seamless continuity of services even in the face of the most challenging cyber threats and operational disruptions.

Understand the gap

DORA covers ICT-related processes and procedures incl. risk management, third-party risk management, digital operational resilience testing, incidents, information sharing, oversight of critical 3rd party providers.

You probably already have a solid foundation. But there can be a gap in transparency, speed of data gathering and impact analysis, process of communication and up-to-date playbooks and recovery procedures.

So, first step is to understand what is actually required, where you are and what is the difference to be closed. There are plenty of Self-Assessments and Checklists available. A short version is below just to help overseeing the scope.

As a result of the analysis you will become actionable activities and challenges. We use them in the next steps to decompose and build a strategic roadmap for the implementation.

Build a strategic roadmap towards DORA compliance with Key ServiceNow capabilities

ServiceNow provides an integrated platform that helps companies automate their IT processes while ensuring they comply with the regulatory requirements of DORA. There are three major pillars that support you addressing the strategic alignment with DORA compliance.

Beside those, there are underlying capabilities of the NOW platform that interact with all applications, e.g. a healthy and service-oriented CMDB, communication and self-service tools, automations and integrations etc.

But what capabilities are right for the identified gaps and challenges and how to break down the applications into the specific features that need to be implemented?

Deep Dive Handling of ICT Incidents

So, let’s take a closer look on how the ICT incident handling should be done in concrete terms. Financial companies record all ICT-related incidents and significant cyber threats. They set up appropriate procedures and processes to ensure coherent and integrated monitoring, treatment and follow-up of ICT incidents. They should also ensure that the causes are identified, documented and addressed in order to prevent the recurrence of such incidents.

In ServiceNow, you would do it with Incident Management and an integrated, well-defined CMDB. Automated incident detection, but also pro-active issue detection are supported by ServiceNow ITOM Event Management and AIOps.

The handling procedure is as follows:

Financial entities are required to report major ICT incidents to the relevant competent authority. If a financial entity is supervised by more than one national authority, Member States shall designate a single competent authority. The national authority shall forward the report to the ECB without delay.

There are templates for the submission of reports. Member States may also stipulate that some or all financial institutions must also submit the reports to the competent authorities or the Computer Security Incident Response Teams (CSIRTs) on the basis of the templates provided.

When a serious ICT-related incident occurs that affects the financial interests of customers, financial entities shall promptly inform their customers about the incident and the measures taken. In the case of a significant cyber threat, financial entities shall inform their potentially affected customers about appropriate protective measures, where appropriate.

The competent authority receives

Financial entities may outsource the reporting obligations to an external service provider. In the event of such outsourcing, the financial institution remains fully responsible for fulfilling the incident reporting obligations.

After receiving the first reports, the competent authority shall communicate details of the serious ICT-related incident to the following recipients in a timely manner, within the scope of their respective competences:

The EBA, ESMA or EIOPA and the ECB shall, in consultation with ENISA and in cooperation with the relevant competent authority, assess whether the serious ICT-related incident is relevant for the competent authorities in other Member States and inform the relevant competent authorities accordingly.

The notification to be made by ESMA shall be without prejudice to the responsibility of the competent authority to communicate the details of the serious ICT-related incident to the competent authority of the host Member State without delay.

The automated report preparation incl. gathering the required data is not available in ServiceNow out of the box, however, can be created as a Scoped Application.

We support you in making you organisation DORA ready by using the ServiceNow capabilities and custom solutions and AI.

Kostya Bazanov, Managing Director, Oct 21, 2024

Eager to take the next step? Contact us today!

* Required fields

Latest Articles

Implementation of NIS-2 directives on the ServiceNow Platform

The European economies depend on functioning and resilient infrastructures – both in the physical and digital areas – tremendous. Essential services in every aspect of our life have been digitised already. This means that the attack vector and the number of vulnerabilities increased as well. Particularly in critical facilities that supply utilities like electricity and […]

read more

Feel the power of AI. At the ServiceNow World Forum 2024 in Munich.

Are you ready for the ServiceNow World Forum? A conference fully packed with AI-driven workflows to service people. Meet ServiceNow clients, partners, developer advocates in one place. We will be there as well. So let us know, if you wish to meet and greet! 📍 Location: Messe München, Am Messesee 2, 81829 München, Germany📅 Date: […]

read more

ServiceNow Xanadu: Release Notes, New Applications, Platform Capabilities, Hidden Features

ServiceNow Xanadu: Release Notes, New Applications, Platform Capabilities, Hidden Features Shangdu, more popularly known as Xanadu, was the summer capital of the Yuan dynasty of China. Shangdu is located in the present-day Zhenglan Banner, Inner Mongolia. The city was a cultural melting pot that played host to visitors from throughout Asia and even further afield. […]

read more