James Wood

21 October 2024

What is DORA, and how does it impact the database?

Have you heard about DORA in the past few months? That’s the Digital Operational Resilience Act, not DevOps Research and Assessment (DORA) on this occasion, which has been gathering pace and attention as the deadline for implementation approaches.

What is the Digital Operational Resilience Act?

The new DORA is a comprehensive set of regulations aimed at enhancing the operational resilience of financial institutions within the European Union and those that support financial organizations within the EU. It mandates that these institutions implement robust measures to protect their ICT systems from disruptions and cyber threats.

How does this impact the database?

With the growth and expansion of critical financial services, the resilience of IT systems is more critical than ever. The volume of data produced, created, copied, consumed and stored also continues to increase, not least with the latest AI (Artificial Intelligence) and ML (Machine Learning) trends, for which data is fuel. The Digital Operational Resilience Act (DORA) sets out a regulatory framework designed to ensure that financial institutions can withstand and recover from various operational disruptions, including cyber threats.

But how does DORA impact the database? The short answer is that, because your databases could be classed as critical Information and Communication Technology (ICT), their absence or failure could have a detrimental impact on your ability to operate effectively and securely.

Who does it impact?

Financial entities and third-party ICT service providers in the EU, as well as those which provide support from outside the EU. Examples of the organizations affected include:

• Banks
• Insurance companies
• Credit providers
• Payment providers
• Crypto-asset providers
• Credit rating agencies
• Pensions providers
• Investment firms
• FinTech companies
• Crowdfunding service providers
• Third-party ICT service providers that support financial organizations

When does it come into force?

The EU adopted the DORA in November 2022 and will require compliance by 17th January 2025. From this date, financial companies need to be able to demonstrate compliance with the DORA regulation which includes potential actions of being subject to audits, being able to provide incident reporting and demonstrate risk management frameworks are in place. So the work doesn’t start then: it starts now.

Key components of DORA

1. ICT risk management: Financial entities must establish comprehensive ICT risk management frameworks. This includes identifying, assessing and mitigating ICT risks.
2. Incident reporting: DORA requires financial institutions to report major ICT-related incidents to the relevant authorities. This requires an effective understanding and reporting of incidents, ensuring that incidents are managed transparently and that lessons are learned.
3. Operational resilience testing: Regular testing of ICT systems and processes is required to ensure they can withstand and recover from disruptions. This aims to implement digital operational resilience through such tests as penetration testing and vulnerability assessments.
4. Third-party risk management: Financial entities must ensure that their third-party ICT service providers comply with DORA’s requirements. This includes conducting due diligence, monitoring performance, and ensuring contractual agreements reflect DORA’s standards.
5. Governance and oversight: DORA emphasizes the importance of strong governance, information sharing and oversight. Financial entities must have clear roles and responsibilities for managing ICT risks and ensuring compliance with the regulation.

What is the relevance to the database?

Database Administrators (DBAs), data security teams and CISOs play a crucial role in maintaining the integrity, security, and performance of an organization’s data. With the introduction of DORA, they need to be proactive in their approach to database management, and implement frameworks that help identify, mitigate, classify and report incidents:

1. ICT Risk Management: DORA mandates security measures to protect against ICT-related risks. Teams must ensure that databases are secure from cyber threats, including implementing encryption, access controls, classification of important assets, patch management, and regular security audits.
2. Incident Management and Reporting: DBAs, security leads and CISOs are often the first to detect anomalies or breaches in the database. Under DORA, they must have robust incident management processes in place to quickly identify, respond to, and report incidents. This includes maintaining detailed logs and documentation of all incidents and responses.
3. Operational Resilience: Ensuring the operational resilience of databases is a key requirement. This involves regular testing and validation of backup and recovery procedures to ensure that data can be restored quickly in the event of a disruption. Database teams must also conduct regular performance and stress testing to identify and mitigate potential vulnerabilities.
4. Compliance and Governance: Teams must ensure that database management practices comply with DORA’s governance and oversight requirements. This includes implementing policies and procedures for data management and incident response. DBAs must also work closely with other IT and compliance teams to ensure a coordinated approach to ICT risk management.
5. Third-Party Management: Many organizations rely on third-party service providers for database management and support. Under DORA, teams must ensure that these providers comply with the same standards. This involves conducting regular audits, monitoring performance, and ensuring that contractual agreements reflect DORA’s requirements.

How Redgate Monitor can help

1. Enhanced security monitoring: Redgate Monitor provides advanced security monitoring and auditing capabilities. This helps DBAs ensure compliance by offering instant visibility into user access rights and automated SQL Server configuration audits.
2. High availability architecture: Redgate Monitor supports high availability setups using load balancers that elevates operational resilience. This ensures continuous monitoring and fortifies applications and data against failures.
3. Data API: Redgate Monitor allows DBAs to easily connect database monitoring data with other applications. This integrates and streamlines wider stakeholder reporting and ensures that sensitive information is shared securely.
4. Proactive alerts: With customizable alerting, Redgate Monitor helps DBAs proactively identify and mitigate potential risks while getting to the root cause of an issue, assisting with DORA’s continuous monitoring and prompt detection of anomalous activities mandate.
5. Identity and classification: The grouping and tagging capability in Redgate Monitor enables every user to easily view and prioritize resources to quickly configure alerting and manage database estates.
6. Patch management: The Estate feature within Redgate Monitor ensures server patches, versions and configurations are up to date, reducing exposure to security vulnerabilities, instability, the potential for loss of data and operational disruption.
7. Reporting and auditing: Redgate Monitor ensures SQL Server configurations are always audit-ready and aligned with compliance standards with its centralized compliance dashboard.

Conclusion:

The Digital Operational Resilience Act (DORA) represents a step forward in formalizing, standardizing and enhancing the resilience and security of the EU’s financial sector. In some ways the new DORA act is an adoption of the principles recommended by its namesake, the DevOps Research and Assessment (DORA). These focus on resilience and reliability in development, an approach that adopts continuous improvement, the reduction of downtime and MTTR (Mean Time to Recovery), testing and reporting, and bringing important groups and stakeholders together.

For the database, this means adopting a proactive and comprehensive approach to database monitoring and management because, while database monitoring is not critical ICT, your database could be. By understanding and implementing DORA’s requirements, DBAs, data security teams and CISOs can help ensure that their organizations are well-prepared to withstand and recover from database related disruptions.

To find out more about how Redgate Monitor can help your organization meet the requirements of DORA, try the online demo or get going with your own, fully functional, 14 day free trial.