HOW TO ENSURE DORA-COMPLIANT BUSINESS CONTINUITY

by Rino Tranzillo, Head of Capital Market Solutions ATS (Base Digitale Group).

The increasing digitalization of the financial sector and the complexity of IT infrastructures supporting financial services systems undoubtedly offer new business opportunities but also significantly heighten cyber risks. These risks emerge as a primary concern, exposing financial institutions to a wide range of threats, from natural ones (human error, natural disasters) to technological (cyberattacks, cybercrime) and even the most sophisticated financial fraud.
In this context, the European DORA (Digital Operational Resilience Act) Regulation arises as the EU’s most significant initiative on digital operational resilience and cybersecurity in the financial sector. DORA is a true game changer, both for the breadth of its scope and its centrality at the European level. Its aim is to establish a unified regulatory framework that harmonizes rules on network and information system security across EU member states.

“What does operational resilience mean in the context of Capital Market Trading?“
The digitalization of trading processes has undoubtedly brought numerous advantages in terms of efficiency and speed. Investment firms rely on innovative digital solutions to achieve faster trading and enhance their ability to handle vast amounts of data and information. However, this also exposes them to new risks.
For investment firms, the processes of order management and trading financial instruments inevitably fall within the functions defined by DORA as essential. In this context, operational resilience refers to a firm’s ability to maintain its critical functions, related to order management and trading processes, even in the event of cyber incidents. This concept goes beyond merely ensuring system availability: it involves the ability to rapidly restore functionalities, minimizing the impact on the firm itself, its clients, and counterparties“.

says Rino Tranzillo, Head of Capital Market Solutions at ATS.

The importance of an adequate architecture

To ensure effective operational resilience, it is crucial to design an IT architecture specifically tailored to meet all required resilience levels. In particular, such an architecture must:

• Ensure operational continuity: keep essential services for order collection, trading, and market access active, even during emergencies and peak operating conditions.
• Restore functionalities quickly: thanks to well-defined response and recovery procedures and efficient data backup and replication solutions.
• Rapidly identify incidents: using advanced monitoring systems, including AI-based technologies, and implementing alerting mechanisms that promptly trigger incident response processes.
• Isolate the impact: contain the propagation of incidents and protect critical data and applications.

A new approach to backup: speed and continuity

Given DORA’s strict digital operational resilience requirements, a novel approach to cybersecurity incident management is imperative. Given DORA’s strict digital operational resilience requirements, a novel approach to cybersecurity incident management is imperative. Backup and recovery solutions must ensure swift operational resumption, minimizing downtime and guaranteeing business continuity, especially in highly digitalized, interconnected sectors like financial trading. Every component within such systems is vulnerable and poses operational risks.
Flexibility and automation in the restoration of critical functionalities are key elements for mitigating cyber risks and ensuring operational continuity in a context where timeliness is crucial and significantly impacts business and the broader market. In particular, the accessibility of systems from anywhere, even in emergency situations, is a critical requirement. This means that all actors involved in a transaction’s lifecycle—from pre-trade to post-trade (data providers, brokers, clients, and trading desks)—must have access to the necessary systems and data at all times, even under critical conditions.
In this perspective, an “operational resilience as a service” approach with access to alternative cloud-based infrastructure (public or private) and specific functionalities ready to restart the entire order management and trading process in minimal time can become a best practice for financial intermediaries. This strengthens digital operational continuity, effectively manages incidents, protects data and clients, and ensures an adequate, cost-efficient level of service.

Diversifying OEMS to mitigate concentration risk and enhance business benefits

“The DORA Regulation emphasizes the need to mitigate the risk of concentration and dependency on critical third parties. In the context of order management and trading, a diversified architecture using multiple OEMS (Order and Execution Management Systems) for different business segments or workflows (e.g., asset classes, brokers, high-touch or low-touch flows) adequately addresses this requirement. It reduces concentration risks by distributing dependencies across multiple providers and technologies, ensuring greater operational continuity.

Diversifying OEMS by business segment or workflow also isolates incidents, limiting their impact on the entire organization. Furthermore, diversifying platforms between primary and backup/recovery systems can address even “supplier failure” scenarios.”.

Business benefits

A platform diversification approach not only meets DORA’s requirements regarding third-party management but also represents an effective strategy for enhancing overall operational resilience, ensuring flexibility and efficiency.
Platform diversification offers significant business benefits. The ability to use specialized OEMS for specific market segments or workflows enables greater customization and optimization of operational processes, translating into higher efficiency and improved service quality for clients.
DORA undoubtedly presents a challenge and an additional burden, but it can also be an opportunity for financial sector companies. By implementing appropriate security measures and adopting robust operational continuity plans and structures, organizations can protect their business while also differentiating and further strengthening their position compared to competitors.