Data autonomy as a pivotal guideline: a feasible escape plan facilitated by DORA
The financial sector is gearing up for a significant change with the introduction of the Digital Operational Resilience Act (DORA), a new EU regulation aimed at ensuring the sector's critical infrastructure can withstand cyberattacks.
DORA represents a significant step towards data sovereignty, an opportunity to make the IT structures of the financial sector more resilient, independent, and future-proof. CIOs and CISOs are now tasked with testing their existing IT landscapes to determine portability, migration reproducibility, openness for seamless provider switching, and comprehensive documentation that withstands regulatory scrutiny.
The regulation does not displace cloud services but intensifies the requirements, leading many institutions to rely on hybrid and multi-cloud models to reduce dependencies and meet regulatory requirements for portability. By combining connectivity, data transfer, and documented infrastructure, financial institutions can conduct exit tests that meet DORA requirements and ensure preparedness in case of emergencies.
Addressing these points early can ensure legal compliance and provide a sustainable competitive advantage. On-premises infrastructures are experiencing a renaissance, especially for processing sensitive data or where physical control is indispensable. Achieving data sovereignty requires that data is fully documented, in open formats, and systems are interoperable. Proprietary technologies, missing migration tests, or incomplete documentation can block any exit.
Neglected open-source components can pose risks similar to outdated proprietary systems. It's crucial to rely on a provider that ensures the security of individual solution components and demonstrates a proven supply chain security concept. Technologies like GitOps, which manages infrastructure as code, help make migration processes reproducible and transparent, increasing traceability for regulatory bodies.
For financial institutions, data sovereignty requires full transparency over used software components, audit-proof documentation of all data flows, and avoiding proprietary formats that make a change of provider difficult or impossible. The result is a complex IT landscape in which cloud and on-premises are operated in parallel, and both worlds must work seamlessly with each other.
The implementation of DORA is not just limited to financial institutions themselves. It also includes their IT service providers, making third-party providers directly subject to regulation for the first time. The EU regulation requires these providers to be part of the regulatory framework to ensure operational resilience. They must be subject to risk management, contractual governance, ongoing monitoring, and exit strategies as part of the financial institutions' structured lifecycle management of ICT third-party relationships.
Many institutions are using open-source technologies to meet DORA's demands for transparency, adaptability, and interoperability. One example is Stackable, a company that has built its architecture on open-source from the start, functioning seamlessly in the cloud or on-prem without code changes, and with a traceable software supply chain.
In conclusion, the Digital Operational Resilience Act (DORA) presents a significant challenge for the financial sector, but it also offers an opportunity to build more resilient, independent, and future-proof IT structures. By focusing on data sovereignty, financial institutions can ensure they are prepared for any eventuality and maintain a competitive edge.
