The Digital Operational Resilience Act (DORA), an EU regulation aimed at strengthening the IT security of financial entities is now ‘live’ and fully applicable as of January 17. This legislation mandates that financial institutions, including banks, insurance companies, and investment firms, ensure they can withstand, respond to, and recover from all types of Information and Communication Technology (ICT) related disruptions and threats.
DORA introduces five key pillars: ICT risk management, incident management and reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. To dig deeper into operational resilience scenario testing, we caught up with Davis DeRodes, Lead Data Scientist at operational resilience specialists Fusion Risk Management.
“Regarding scenario testing, start with the basics,” says DeRodes. “Many organizations only test once or twice a year, but regulations demand more frequent testing. AI can help you test more often. It also acts as an unbiased party in proposing scenarios, especially for regulated clients who need scenarios that are severe yet plausible. AI can show plausibility by referencing historical examples, which is incredibly helpful,” he says.
Fusion’s Scenario Simulation and Intelligence suite allows organizations to run thousands of “severe but plausible” operational risk scenarios concurrently, unveiling hidden vulnerabilities in systems, processes, and resilience plans. By leveraging fusion’s proprietary AI combined with internal and external historical event data—for example vendor services outages like last year’s CrowdStrike incident or cyber security incidents—teams can prioritize the most impactful gaps, reduce human bias, and gain clarity on what to fix or plan for, ensuring optimal preparation for any disruption.
These capabilities also address incomplete or untrusted data by highlighting information gaps and prioritizing which issues to resolve first. Additionally, they improve engagement in tabletop exercises by identifying relevant scenarios and the right departments and specific roles in advance, helping organizations save time and resources. All of this is seamlessly managed within the same Fusion platform that teams will rely on to handle real incidents, creating a cohesive and efficient resilience framework.
Compliance with DORA requires firms to capture and report on data they previously did not need to collect—e.g. third-party supply chain dependencies—often necessitating a shift in data ownership and accountability within organizations. Initially perceived as a security issue managed by Chief Information Security Officers (CISOs), the responsibility for DORA compliance has increasingly moved to Chief Operating Officers (COOs), reflecting its broader operational impact.
Published regulatory frameworks, such as those from the Basel Committee on Banking Supervision (BCBS) follow a principles-based approach. In contrast, DORA stands out for its detailed prescriptive obligations. This specificity, whilst providing clarity on regulatory expectations actually risks encouraging firms to adopt a tactical box-checking approach, rather than a strategic evaluation of the firms digital supply chains.
Tom Henshaw, Fusion’s Head of Platform Go to Market for EMEA shared some perspectives on how the regulatory divergence between the EU and Post-Brexit UK’s more principles-based approach. “I guess ultimately, it would probably come down to the way in which the regulation is governed, because it [DORA] is so prescriptive about what needs to be done, how, when, and that sort of thing,” he says, suggesting “The ESA and the European regulators, may be slightly missing the mark by moving resilience to a compliance-driven activity, rather than a value creation or a competitive advantage activity.
“Resilience is a value creation activity because it enables firms to provide their services or products to the market over a longer duration because they’ll have more uptime and their customers will be stickier because ultimately, resilience is about protecting the customer and fulfilling the obligations made to the customers. So, I think the focus should always be on achieving those outcomes from a regulatory standpoint,” he says.
Subscribe to our newsletter
