Digital transformation initiatives, for the most part, offer significant advantages—enhancing efficiency, agility, and innovation across the business. However, these initiatives can also introduce new challenges. As IT landscapes and software delivery processes evolve, the risk of inadvertently creating new vulnerabilities increases. Left unaddressed, these gaps can result in cyberattacks, system outages, and network intrusions.
These risks are particularly critical for financial services institutions, which are now under greater scrutiny with the Digital Operational Resilience Act (DORA). This comprehensive regulation applies to all financial institutions in the European Union (EU), as well as third-party providers of information and communication technology (ICT) services to financial entities. Only small firms are exempt from DORA—those with fewer than 10 employees or less than €2 million on their annual turnover and balance sheets.
A comprehensive regulatory reach
DORA addresses a broad range of ICT risks, including incident response, resilience testing, third-party risk management, and information sharing. To achieve compliance, financial institutions must implement robust controls, submit detailed reports, conduct regular penetration tests, and establish effective third-party risk management strategies, all while adhering to data privacy regulations and other requirements. With dozens of specific rules, DORA’s reach is extensive and far-reaching.
The regulation impacts a broad spectrum of financial institutions, including banks, brokers, credit institutions, insurance companies, and payments processors. Moreover, it also applies to all the IT services firms that provide critical functions like cloud hosting, payment processing, data analytics, and other digital services to these financial institutions.
When DORA becomes effective on January 17, 2025, non-compliance with DORA will trigger severe administrative and criminal penalties. For example, a noncompliant third party could face daily fines of 1% of its previous year’s average daily turnover for up to six months. Penalties will be determined by the severity and duration of the noncompliance, whether it was intentional, and the organization’s willingness to cooperate with DORA authorities. EU member states could also impose additional criminal penalties in accordance with their national laws.
Proactive preparation with AI-powered solutions
With DORA’s deadline quickly approaching, preparing for DORA is critical. Organizations need solutions that not only ensure compliance but also provide cost-effective, scalable and confidence-building approaches to address potential risk scenarios.
For example, the BMC Helix platform is a comprehensive, AI-powered solution designed to align with DORA’s requirements. With integrated capabilities like service management, operations management and monitoring, mainframe management, and business process automation tools, BMC Helix empowers financial institutions to ensure compliance with DORA’s requirements for governance, visibility, risk management, business continuity, and incident management.
One notable tool, BMC HelixGPT, uses a large language model (LLM) that drives a suite of AI-powered software agents. These agents perform critical services like discovery service mapping, capacity optimization, and more, acting as a copilot for teams managing DORA compliance. By integrating with other data platforms like Snowflake, BMC HelixGPT enables insightful data analysis, ensuring relevant information is readily and timely accessible. In addition, BMC Helix dashboards provide DORA-focused insights and generate reports tailored to DORA-specific requirements.
Ultimately, BMC Helix not only helps reduce vulnerabilities—minimizing the risks of cyberattacks, data breaches, and system outages—but also supports the goal of DORA to increase operational resilience.
The renewed priority of mainframe operational resilience
For financial services, mainframe operational resilience demands a new approach. These systems are crucial to DORA’s mandate, yet many organizations lag in disaster recovery, relying on outdated strategies. Regulators now require immutable data—physically and logically separated—to ensure resilience. BMC AMI provides solutions for Service Awareness, Risk Management, Business Continuity, Incident Management, and Governance, ensuring mainframes remain secure, resilient, and aligned with business goals. Operational resilience goes beyond compliance; it protects the organization’s core.
But remember: DORA’s enforcement takes effect in January, so the time to act is now. By investing in the right solutions, your institution can enhance its resilience, avoid costly penalties, and secure a future where operational disruptions are minimized, and business objectives and goals are met with greater confidence.
Source: CIO (9th September, 2024)