What is the Digital Operational Resilience Act (DORA)? Everything you need to know about DORA compliance.

What is DORA?

The Digital Operational Resilience Act (DORA) is a European Union legislation designed to enhance the digital operational resilience of financial institutions and their critical third-party ICT (Information and Communication Technology) service providers. DORA has two primary objectives:

• One goal is to ensure that the financial sector can effectively withstand, respond to, and recover from ICT-related disruptions, cyber threats, and operational risks. DORA sets out specific requirements for robust ICT risk management, anomaly detection, incident reporting, third-party oversight, and regular testing.
• A second goal is to ensure that this regulation is harmonized across the member states of the EU and that financial organizations implement the same best practices.

Within the actual legislation DORA emphasizes in detail the obligation to ensure third-party service suppliers are assessed as compliant. Within the financial sector many organizations have become increasingly reliant on the services of a small number of third-party providers, often referred to as critical third parties because disruptions (such as a cyber-attack on a cloud provider) could cascade across financial institutions, threatening consumer access and market stability. Strengthening oversight ensures critical supply chains remain resilient, safeguarding the financial system from systemic failures.

In Europe, DORA has become a significant consideration for Fintech providers and their supply chains and ecosystems.

The Council of the European Union and the European Parliament (the legislative bodies responsible for approving EU laws) formally adopted the DORA on 28 November 2022. DORA was published in the Official Journal of the European Union on 27 December 2022 and comprises of a regulation and a directive. DORA will become fully enforceable on January 17, 2025, giving organizations time to align their systems and processes with its requirements.

The difference between EU directives and regulations

The European Union (EU) uses directives and regulations as legislative tools, but they differ in how they are applied and implemented across member states:

EU Directives

• Nature: Provide goals or objectives that EU member states must achieve.
• Implementation: Require transposition into national law by each member state, allowing flexibility in how the objectives are met.
• Example: The General Data Protection Directive (precursor to GDPR).

EU Regulations

• Nature: Binding legislative acts that apply directly across all EU member states.
• Implementation: Automatically enforceable without the need for national laws, ensuring uniform application.
• Example: The General Data Protection Regulation (GDPR).

Whilst directives offer flexibility in implementation (individual countries can decide how they adhere to the broad and slightly vague objectives of directives and sometimes even what “adhere” means), regulations enforce uniformity across the EU. Financial organizations in the EU will have to adhere to the specifics defined in the DORA regulation.

The full DORA regulation as published by the EU is available, here: Publications Office. There are numerous third-party sites that present the information in a somewhat friendlier format, personally I like – DORA Regulation (Digital Operational Resilience Act) – Full text- as it pulls out the sections under comprehensible headings such as “Detection” and “Communication” in manageable bites.

When you delve into the details of the regulation you will realize that the choice of monitoring and observability tooling is going to be key for organizations needing to be DORA compliant. Moreover, it becomes apparent that only modern AIOps-driven platforms such as eG Enterprise can help customers meet these requirements.

Who will DORA regulation apply to?

DORA will apply to a wide range of entities in the EU’s financial ecosystem, including:

• Financial Institutions: Banks, investment firms, insurance and reinsurance companies, payment institutions, and asset managers.
• Financial Market Infrastructures: Trading platforms, central securities depositories (CSDs), and central counterparties (CCPs).
• ICT Third-Party Providers: Cloud service providers, software vendors, and other critical technology providers supporting financial services.
• Crypto and Crowdfunding Entities: Crypto-asset service providers (CASPs) and regulated crowdfunding platforms.

The regulation’s broad scope is intended to ensure operational resilience across the financial ecosystem but also its service and supply chains. DORA’s application to ICT third-party providers means businesses such as cloud services, MSPs (Managed Service Providers), software vendors, and data processors supporting financial institutions must comply. This extends compliance obligations way beyond finance, impacting numerous sectors providing critical technology services to regulated entities.

Many organizations who will be required to comply with the DORA are regulated by the European Securities and Markets Authority (ESMA) and they provide a very good overview of the timelines and practicalities of DORA’s rollout, plus some links to some interesting history of the act, please see: Digital Operational Resilience Act (DORA).

Will DORA apply in the UK?

Any UK financial entity looking to operate in the EU or as a supplier to EU entities will be expected to adhere to the EU’s DORA regulation. This will apply to financial firms who (directly, or indirectly through their group) offer their services in the EU, but also to ICT service providers who offer services in the EU.

In a similar way that the UK GDPR tracks the EU’s GDPR. It is expected that the UK government will implement legislation harmonized with EU legislation. On 12th November 2024 the FCA (Financial Conduct Authority) published a roadmap agreed with the Financial Conduct Authority, Bank of England and Prudential Regulation Authority that outlined how the UK intended to align with DORA, see: New rules to strengthen resilience of UK’s financial sector | FCA.

How eG Enterprise is helping customers prepare for DORA

In this section I will cover a little on why the AIOps capabilities within eG Enterprise are essential for DORA compliance.

Why AIOps Monitoring is Essential for DORA Compliance

DORA mandates strict measures to ensure financial institutions and their ICT systems can withstand and recover from operational disruptions. AIOps (Artificial Intelligence for IT Operations) monitoring, which leverages AI and machine learning for proactive IT management, is pivotal for meeting DORA’s requirements, particularly in the areas of anomaly detection, risk management, and incident reporting. Let’s get specific with reference to the detail of the regulation.

1. DORA – Anomaly Detection and Risk Management

DORA emphasizes the need for early detection of anomalies in ICT systems, as outlined in Article 10 (“Detection”), which requires entities to identify potential risks and threats that could compromise operational resilience. AIOps-driven eG Enterprise is designed to detect irregularities by:

• Collecting and analyzing at scale: AIOps allows eG Enterprise to collect and analyze millions of metrics, logs, traces and other events in real time to identify potential issues.
• Dynamic automated baselining: Learning normal behavior patterns across systems and flagging deviations in real-time.
• Predictive analytics: Using historical data and AI models to predict potential system failures before they occur.
• Root cause analysis: Automatically correlating events and data from across applications, networks, and infrastructure to identify the underlying issue quickly.

eG Enterprise’s AIOps features such as auto-detect, auto-deploy, and universal agent technologies are vital for DORA compliance and anomaly detection in auto-scaling systems. They ensure comprehensive monitoring from Day 0, preventing blind spots that can emerge during scaling events and enabling real-time detection of risks and anomalies.

In short, eG Enterprise’s capabilities all align with DORA’s requirement for proactive risk identification, enabling financial entities to mitigate threats before they escalate into full-blown incidents. You simply can’t do proactive anomaly detection without mature and advanced AIOps capabilities.

Article 10 – Digging deeper

Let’s take a closer look at the specifics of the first few clauses of Article 10 (the article that deals with “Detection”).

Very few solutions offer the granular level of control of eG Enterprise, which is considered best in class. We are so proud of our excellence in this area that we’ve written a free whitepaper to help you evaluate such capabilities, see: White Paper | Make IT Service Monitoring Simple & Proactive with AIOps Powered Intelligent Thresholding & Alerting. Many traditional monitoring tools simply can’t offer the capabilities DORA will require.

Note Article 17 covers “ICT-related incident management processes”.

2. DORA – Continuous Monitoring and Incident Reporting

DORA’s articles 9 (“Protection and prevention”), 13 (“Learning and evolving”) and 15 (the gloriously titled – “Further harmonisation of ICT risk management tools, methods, processes and policies”) further mandate continuous ICT risk monitoring and timely incident reporting to ensure resilience. eG Enterprise facilitates this via:

• Synthetic monitoring: Helps DORA compliance by continually simulating user interactions to test for and detect performance issues, verifying system availability, and identifying risks proactively. This type of automated testing holds IT teams accountable.
• Real-time dashboards: Offering continuous insights into system performance, ensuring ICT teams can quickly spot and address emerging issues.
• ITSM integrations: eG Enterprise integrates with all major ITSM and ticketing systems including ServiceNow, MS Teams, JIRA, PagerDuty and more. Allowing organizations to integrate seamlessly with existing systems and processes used in the wider org. This ensures that incidents are automatically created, tracked communicated to the whole organizations as needed.
• Automated incident reporting: Generating detailed reports for submission to DORA regulators, reducing manual effort and ensuring compliance. eG Enterprise will only remove alerts when the IT problems are rectified, providing a trustworthy means of measuring performance beyond human-managed support tickets.
• Audit trails: Monitoring applications, end-user behaviors and logons in certain technologies is essential for auditing your IT systems. For example, if you utilize Citrix or other DaaS technologies for enabling remote employee access, you can track who logged in, when and which applications they used and websites they visited.
• Configuration and change tracking: Provides visibility into system configurations and tracks modifications. Quickly identify and respond to vulnerabilities introduced through misconfigurations or changes. Support incident response efforts by providing a clear change history. Provides evidence of regulatory compliance in audits. Learn more: Change Tracking and Configuration Monitoring | eG Innovations.

By automating detection and reporting, eG Enterprise streamlines compliance and ensures organizations can meet the strict response and reporting deadlines demanded by DORA.

3. DORA – ICT Dependency Mapping and Testing

DORA requires clear documentation of ICT dependencies and regular testing of resilience strategies (e.g., Articles 8 (“Identification”) and 24-27 (“Digital operational resilience testing”)). AIOps tools such as eG Enterprise support this by:

• Topology mapping: Auto-discovery and auto-deploy includes automatically mapping interdependencies between applications, services, and infrastructure to provide a clear view of critical paths and risks.
• Simulation and testing: Supporting simulated incident scenarios to validate resilience strategies and improve response capabilities. Synthetic monitoring capabilities including full-session simulation and a web app simulator allow administrators to test user scenarios end-to-end. Indeed, Article 25 explicitly calls out both performance testing and end-to-end testing as mandatory.
• Ready-to-go-reports: eG Enterprise includes a wealth of ready-to-go reports, plus a GUI custom report builder. No queries languages required. Reports can be scheduled to help ensure compliance. Learn more: Enterprise Reporting & Analytics | eG Innovations.

These features ensure organizations not only understand their system vulnerabilities but also maintain the ability to recover from disruptions effectively.

4. DORA – Third-Party Risk Oversight

Under Articles 28-44 (headline overview in 28-30), DORA mandates oversight of critical third-party ICT providers.

AIOps platforms can extend monitoring capabilities to third-party systems via integrations and APIs, providing visibility into performance and risks across the supply chain. This ensures compliance with DORA’s requirements for third-party risk management and accountability.

eG Enterprise supports 500+ technology stacks out-of-the box, see: End-to-End Monitoring: Applications, Cloud, Containers. This includes major critical third-party suppliers to the finance sector from public clouds, enterprise applications (such as Windows 365, Salesforce, PeopleSoft), datacenter hardware, databases, storage, networking and lots more.

These articles also mean that if you are a third-party supplier to the finance sector you will be required to demonstrate that your products and services comply with DORA, eG Enterprise can help you do this in the same ways it can help the financial institutions themselves.

5. DORA – The rest of the Regulation

Above I’ve pulled out a few specific articles and clauses to demonstrate how granular this regulation is. It really is worth reading the entirety of the regulation if you are an IT architect, administrator or decision maker at an organization affected. The decisions you make when choosing IT tools, especially monitoring ones, will either make your path to DORA complaince a lot easier or a lot harder.

Learn more about how a “Cloud Exit Strategy” can be part of a DORA compliance strategy

If you enjoyed my blog today and are interested in operational and organizational resilience, you may like to read another article I wrote recently: The Importance of a Cloud Exit Strategy: What It Is, Who Needs It, and How to Plan It | eG Innovations.

Those interested in financial services regulation specifically may want to find the part of the article where I provide links to some resources such as: Cloud exit planning guidelines for financial services institutions – Microsoft Industry Blogs.

These articles are particularly relevant to DORA’s article 30 – Art. 30 Key contractual provisions – DORA, which covers service termination considerations.

eG Enterprise – a trusted supplier to financial organizations for over 2 decades

AIOps monitoring is essential for DORA compliance as it automates critical mandated processes such anomaly detection, incident response, and ICT dependency mapping. Its ability to proactively identify risks, generate insights, and streamline regulatory reporting ensures that organizations can meet DORA’s stringent standards while improving overall operational resilience.

If you’d like to learn more about our services for the financial sector or our experience in this area, please explore:

• DTCC through its subsidiaries, provides clearing, settlement and information services for equities, corporate and municipal bonds, government and mortgage-back securities, money-market instruments and over-the-counter derivatives. Using eG Enterprise, DTCC monitors an IT infrastructure responsible for settling around $2 Quadrillion in security transactions per year, learn more: IT Infrastructure Monitoring at Depository Trust & Clearing Corp.
• Learn more about eG Enterprise features and financial service use cases at: IT Performance Monitoring for Banks and Financial Services.
• We also have a dedicated page covering our solutions and customers who are Credit Unions, please see: IT Performance Monitoring for Credit Unions | eG Innovations.
• E-Commerce Monitoring for Applications and Payment Gateways.