The new EU regulation, DORA, is set to significantly enhance the protection of customer funds and data within financial institutions.
DORA officially entered into force on January 16, 2023. Since then, financial institutions have begun preparing to meet the new requirements, although compliance was not initially mandatory. However, the regulation will become fully enforceable on January 17, 2025.
DORA consolidates various initiatives from different European regulatory authorities, including the European Central Bank (ECB), into a single document. Essentially, DORA impacts every participant in the financial market, including banks, investment firms, asset management companies, digital asset providers, insurance companies, and others.
In Poland alone, the regulation will apply to 29 commercial banks, nearly 500 cooperative banks, over 40 payment institutions, and notably, dozens of IT solution providers.
Under DORA, financial institutions are obligated to manage information and communication technology (ICT) risks, report incidents, test operational resilience, manage third-party (ICT service providers) risks, and share information with other entities in the financial sector.
Steeper Penalties and Greater Order
While banks are accustomed to regulations, DORA introduces several new elements. It all began in 2002 with the Sarbanes-Oxley Act, which increased the responsibility of boards in financial reporting and internal controls. Then came Basel I, II, and III, PCI DSS, and numerous other regulations. So, what new aspects does DORA bring to regulations for financial institutions?
Three factors are worth highlighting:
- DORA unifies digital security regulations in the financial sector. Regulations for the industry are scattered across various legal acts, and sometimes they simply do not align well with one another.
- The introduction of individual penalties for board members ensures that compliance cannot be ignored. The penalties are quite severe, with maximum fines reaching up to €10 million. In the case of serious or repeated violations, the fine can be doubled, and in extreme situations, imprisonment is not excluded. This personal risk emphasizes the need for top-level managers to be actively involved in ensuring compliance with DORA.
- For the first time, regulations include IT system providers. DORA changes the game, as financial institutions are now obligated to impose requirements on IT infrastructure providers. In practice, this means financial entities can only contract external ICT service providers that meet high and up-to-date information security standards. Moreover, certain oversights may result in penalties for infrastructure providers.
The regulation sets the bar quite high—not only for IT hardware and software manufacturers but also for cloud service providers and MSSPs (Managed Security Service Providers).
DORA and Data Protection
According to data from Check Point, banks operating in Poland must fend off more than 1,600 attacks daily. Hackers target only the military and public institutions more frequently in the country. A similar situation exists in the United States, where the financial sector ranks second in the frequency of cyberattacks.
Attackers have straightforward goals—they want money or data, and financial institutions have both. Banks and insurers handle vast amounts of personal and financial data, including bank accounts, transaction details, investment information, and credit histories. These organizations manage highly sensitive data, and breaches can result in severe consequences for both customers and the institutions themselves. For this reason, the financial sector pays close attention to the ever-growing body of privacy and data protection regulations.
The latest of these is the aforementioned DORA, which clearly defines requirements for financial institutions regarding data backup and recovery. Their obligations include configuring backup systems capable of withstanding cyber incidents, system failures, and disruptions. Notably, DORA emphasizes that creating backups is not just an IT issue but a management responsibility requiring oversight and approval from executive leadership.
Article 12 – Data Protection Guidelines
Article 12 of the DORA regulation provides detailed guidelines on the principles, procedures, and methods for data backup, restoration, and recovery. According to these provisions, financial entities are required to develop and document rules and procedures for backing up and recovering data.
The document must specify the scope of data to be backed up and the frequency of backups. When determining RTO (Recovery Time Objective) and RPO (Recovery Point Objective) for each function, it is essential to consider its criticality and the extent to which disruptions would harm the entity’s financial performance and service continuity.
In addition to regular backups of critical systems and data, DORA mandates periodic testing of backup procedures and recovery methods. Financial institutions are also required to establish clear procedures for both internal and external communication during incidents. This ensures timely and effective responses, including notifying relevant authorities and customers.
Financial institutions must conduct post-incident reviews to maintain the highest levels of data integrity. These reviews should also be carried out during the reconstruction of data from clients and partners to ensure the consistency of all data transferred between systems.
DORA also specifies requirements for central securities depositories, which must maintain at least one secondary data processing site:
a) A safe distance from the primary processing site to prevent the same event from affecting both locations.
b) Capability to ensure continuity of critical functions at the same level as the primary site or at a service level sufficient to carry out recovery processes.
c) Immediate access for financial entity personnel to ensure the continuity of critical functions if the primary site becomes unavailable.
Data Protection for SaaS
Cloud applications are the largest source of data breaches, according to 60% of respondents in The 2024 State of SaaS Resilience survey.
However, half of the respondents mistakenly believe that cloud service providers (CSPs) are solely responsible for data protection. In reality, CSPs operate under a shared responsibility model, meaning they are responsible for the security of the cloud infrastructure and the solutions they offer, while users are responsible for securing their own data and applications within the cloud.
Unfortunately, misunderstanding this principle often results in data loss caused by employee errors or cyberattacks. This issue affects banks, insurance companies, and fintech organizations alike. However, with the implementation of DORA, the situation is set to change. Financial institutions, when signing contracts with SaaS providers, will now inquire about the ability to obtain a complete copy of their data—questions that will be raised as early as the procurement stage.
If the service provider does not offer backup services, the responsibility will fall on the user. In such cases, backups must be stored in a separate local system or in the cloud of another provider.
How does Storware Backup and Recovery support Digital Operational Resilience Act (DORA)?
Storware Backup and Recovery software aligns with the principles of the Digital Operational Resilience Act (DORA) by providing robust data protection, ensuring operational continuity, and supporting compliance with regulatory requirements. Here’s how Storware helps companies meet DORA’s key principles:
1. ICT Risk Management Framework
- Centralized management console to monitor backup and recovery activities.
- Reporting and alerts for backup failures
- Supports enterprise-wide implementation of ICT risk strategies.
2. Incident Reporting
- Logs and audit trails for all backup and restore operations, facilitating incident detection and reporting.
- Detailed insights into data integrity issues or failures.
- Automated reporting features to notify of anomalies or recovery scenarios.
3. Digital Operational Resilience Testing
- Built-in recovery testing features ensure backup data is recoverable and operational.
- Non-disruptive testing capabilities to verify disaster recovery plans without impacting live environments.
- Tools to simulate different failure scenarios and measure recovery time objectives (RTOs) and recovery point objectives (RPOs).
4. Third-Party Risk Management
- Supports backup of data across diverse environments, including on-premises, cloud, and hybrid setups, ensuring resilience against third-party failures.
- Vendor-neutral architecture minimizes dependency on any single third-party provider.
- Data encryption and access controls to secure data managed by external service providers.
5. Information Sharing
- Facilitates collaboration with IT and security teams by providing clear reports and analytics on backup-related events.
- Promotes a unified approach to managing cybersecurity threats through visibility into data protection workflows.
6. Governance and Oversight
- Role-based access controls (RBAC) and user activity tracking ensure accountability within the organization.
- Simplifies audits with detailed documentation of backup configurations and recovery processes.
7. Critical ICT Providers Oversight
- Works seamlessly with major cloud providers (AWS, Azure, Google Cloud) and ensures their data protection meets compliance requirements.
- Encrypts backups and ensures secure data transfer, reducing risks from third-party vulnerabilities.
8. Adaptation and Compliance
- Regular updates to the software ensure compatibility with evolving cybersecurity threats and regulations.
- Flexible deployment options enable organizations to adapt their data protection strategy as needed.
- Compliance-friendly features such as encryption, immutability, and detailed reporting support adherence to regulatory standards like DORA.
By delivering resilient, secure, and adaptive backup and recovery solutions, Storware enables financial entities to meet the stringent requirements of DORA, ensuring business continuity and safeguarding critical data in an increasingly digital and regulated environment.
