Welcome to DORA, no, no, not the explorer! But rather a new European Law that aims to be a game-changing framework for the financial sector. It’s like the stress-tests that banks need to go for financial resiliency, liquidity and the capability to survive, but now for disruptions in technology and digital operations. Even third-party service providers aren’t spared – this one applies to all of them too. Welcome to 2024 where everything needs to be resilient. And now about this.

Digital Operational Resilience Act, or DORA, is a pioneering regulatory framework set to transform the operational resilience landscape for the financial sector in the European Union – and everyone operating within it. It is a comprehensive approach to ensuring that financial entities and tech service providers in the EU can withstand, respond to, and quickly recover from any digital disruptions. Whether it’s a cyber-attack, a technical SNAFUS or any other tech related incident – you name it -, DORA is designed to make the financial sector more robust and resilient. This means enhancing risk management practices, implementing stringent incident management procedures, to ensure robust third-party risk management and conducting rigorous Threat-Led Penetration Testing. Whether you’re a fintech disruptor, a traditional bank, or a tech vendor servicing them, DORA is the real explorer here…

Well, you can say that DORA is focused on the cyber security part, because it requires robust digital defence mechanisms, especially to respond to digital incidents, demanding proactive vulnerability assessments through ethical hacking, but also fosters this new approach to integrated risk management, treating digital risks in conjunction with operational risks. The framework is principle based, so it will require a significant shift in the governance model of banks and financial organizations, moving them from a siloed risk management approach towards a more interconnected, asset-centric strategy. I hate this word, but it’s clearly a holistic approach to safeguard critical IT assets. The outcome should be a very secure and resilient organization that can survive even the worst case of ransomware.

For me the interesting part was indeed the Threat-Led Penetration Testing, which introduces a proactive approach to cybersecurity. Inspired by the TIBER-EU framework, TLPT involves ethical hackers simulating cyber-attacks to identify and rectify vulnerabilities. This is a call to action for the tech community to engage in ethical hacking to improve the financial sector’s defences. And that’s where I have doubts. I mean, that ethical hackers can actually do that in a safe way, or even that they want to it for banks. Being ‘evil’ in the financial sector is always more appealing than being a white-hat.

Now, it’s interesting to see how Generative AI (GenAI) can both complicate and assist DORA’s implementation. On the one hand, GenAI can enhance DORA by improving threat detection, automating risk assessments, and optimizing incident response through advanced analytics and pattern recognition. On the other hand, GenAI introduces new complexities, such as sophisticated AI-driven cyber threats that could challenge existing digital resilience frameworks. Balancing GenAI’s potential to innovate against its risks is key to leveraging its capabilities while safeguarding the financial sector’s operational resilience under DORA.

Bottom line: DORA is not just about compliance and ticking boxes; it’s about enhancing the digital and cyber operational resilience of the financial sector in a holistic manner. It requires a paradigm shift towards an integrated risk management approach, where digital risks are considered in conjunction with other operational risks. This presents an opportunity. It’s a chance to innovate, to contribute to a safer financial environment, and to be at the forefront of shaping a resilient and more secure digital future.