IT resilience thanks to EU DORA and NIS2 – concept, context and history

Resilience. At first it sounds like another buzzword, a bit like sustainability and almost a little esoteric. But the term is anything but new. I remember exactly when I first read it in the context of IT: In 2008, I was a new IT manager at a listed energy company and had a clear mandate to implement targeted redundancy and safeguard value-adding processes through IT.

In principle, these were exactly my topics, which allowed me to draw on my experience – but then I read the conceptual combination “IT Continuity & Business Resiliency Management” in a specialist article on the subject of governance. As someone who prefers to create more than one backup and actually enjoys checking log files, I was immediately hooked. Because what was hidden behind the word resilience gave me a view of the big picture, even before IT would simply permeate every business in the following years with the era of smartphones, apps and mobile-first approaches.

Resilience – term and history

First of all, the term is not a new creation and has nothing to do with IT. Rather, it has its historical origins in resilience and therefore primarily in medicine. In order not to go too far afield, we will simply quote the first Wikipedia entry from 2001:

Living systems can never completely control internal and external conditions. They must therefore be able to compensate for deviations (errors). They must be error-tolerant, error-friendly. Resilience: The ability to stand firm.

– One sentence, nothing more. And it sums it up pretty well. In 2009, the scope was no different, but the statement was sharpened somewhat:

(…)Technical term used differently in different scientific disciplines, generally describing the tolerance of a system to perturbations.

That was all I needed to know at the time in order to carry out the assignment given to me by the Executive Board from this perspective. For me, it was no longer just about data backups, traceability of changes or fail-safety – I wanted to protect the company against disruptions of all kinds and, two years later, with the construction of the new company headquarters, I had the unique opportunity to implement everything on a de facto greenfield site that was still restricting me in 2008 due to the old building. Every area should remain operational, no matter where something breaks down, is being maintained or updates are being installed.

Resilience and the economy: the European ecosystem and the impact of crises

With the exception of the economic crisis in 2008, there was nothing to complain about in the years that followed – it was only in 2018 that the EU GDPR brought an issue to the fore that put a damper on the unstoppable triumph of digitalization. Suddenly there were rules and a proverbial basic order for the processing of personal data, which had an impact on almost all processes, cloud projects and contracts. Barely mastered, the Covid19 crisis tore apart many supply chains, the chip crisis came, factories closed their doors, borders were impassable and even in 2022, when things were slowly returning to normal, the war in Ukraine began. You don’t have to be an economic sage to admit it clearly: The current times have more and more crises, global upheavals and therefore challenges to offer, which can – and in fact do – affect every company. This sentence can be heard above all in the context of hacker attacks and cybersecurity measures: “It’s not a question of if you’ll get hit, but when”. To be precise, you would even have to add “and maybe it happened yesterday”. So there are plenty of reasons to address the topic of resilience, almost “like on an assembly line”.

Resilience and regulations – industries, context, outlook

The so-called KRITIS sectors in particular, e.g. financial and insurance companies, but also the healthcare and energy industries, are good examples of economic sectors that are particularly confronted with legal requirements. KRITIS as a keyword in the German implementation of the requirements from the EU directive NIS1 of 2016 was seconded by NIS2 in 2022. The focus of NIS has always been on risk management and cybersecurity, whereby NIS2 primarily includes the expansion to other sectors, such as postal and courier services and the food industry.

However, the special focus on resilience and the associated “on everyone’s lips” perception is due to EU DORA – the “Digital Operational Resilience Act”. Here it is, the EU regulation with the key word in its name, which is primarily aimed at companies in the financial and insurance sectors. Primarily because more and more companies that are not even on the radar are providing services in this area and now have to take action. The regulation initially cites IT risks and resilience measures in the area of cybersecurity. But if you take a closer look – or deal with it in your professional environment – you will see that it is actually about business resilience. Because, as explained at the beginning, IT is no longer an indispensable part of any business process, nor can it be kept out or is it a viable option. IT is everywhere. Where it fails, processes come to a standstill and so does the business. DORA contains further details and requirements, some of which are very specific – for example, the performance of penetration tests and code analyses – and go beyond the scope of this article, but are aimed precisely at the cybersecurity risks listed in the previous paragraph. This shows how important it is to have a basic understanding of resilience, as such advanced disciplines would otherwise fall by the wayside. It’s a bit like protecting against stormy weather: where no precautions are taken, even a light breeze is enough. And as a regulation, DORA is directly applicable and does not have to be transposed into national law like the NIS2 Directive.

EU DORA – cheat sheet, hidden challenges, timeline

So let’s use the current focus on EU DORA to highlight a few really important, often overlooked aspects of business resilience and to clarify preparatory points – because some companies may have already achieved more than they think!

1. Risk appetite – even far away from the food industry

Anyone who works with me cannot avoid this word. It is neither an artificial word nor a creation on my part. The term is firmly anchored in one of the leading governance frameworks, COBIT – and has been a recurring theme in every audit since the first version in the 1990s, when COBIT was born in the IT audit of the financial sector. The meaning is explained quite simply: every company has to deal with risks. Some can be mitigated (avoided, treated, reduced), others must be borne (too expensive, in the nature of things, disproportionate effort). However, knowing how much tolerance, in this case “appetite”, the company possesses, tolerates and can tolerate has simply never been considered in many places. However, this is essential and should be carried out at least once before addressing the topic of resilience. How else would you know which risks and influencing factors you could develop this resilience against?

DORA lists ICT risk management as the first clear requirement in Chapter II – and boldly calls it the “overarching principle” in the very first passages of the regulation.

2. Transparency – not always popular, now indispensable

Talking about risks almost automatically leads to transparency. Many companies are new to this and often have to endure it – which is why we strongly recommend not starting a beauty contest. There are potentials, problems, concerns and difficulties in every department, every part of the company and every process. Anyone who is not honest here and sees transparency as a conscious effort to optimize resilience will quickly end up on a theoretical path of perceived, non-existent conditions. And these usually don’t work when it really matters. The winners are those who now realize that transparency can be a real lever as a paradigm discipline and accelerator.
DORA addresses the topic of transparency in the form of Chapter III (Handling, classifying and reporting ICT-related incidents) and Chapter IV (Testing digital operational resilience), among others.

3. Processes – more than capabilities and diagrams

Processes are always documented somewhere. Right at the front: PowerPoint, Excel or perhaps really a BPM tool. The documentation often passes from one audit to the next and disappears back into the drawer. This is where a real head start can be created: Where companies demonstrate business capabilities for all to see, make interrelationships and supporting processes transparent and specialist departments have understood that they cannot survive without the right IT support, a genuine end-to-end view is created. And this goes far beyond a list, diagrams or tool silos. This is where Enterprise Architecture Management can provide valuable support, as it looks at the entire architecture from business to IT and helps with analysis and reporting.

DORA addresses the topic of processes and IT support in Chapter V (Management of ICT third party risk), among others.

4. IT – specialist departments & service providers as the key

Almost nowhere are the rifts as deep as between specialist departments and IT – in addition, there are often service providers and cloud providers, of which the invoices are the most important. Where the data is located and which department relies on what usually remains hidden. But there are real opportunities here too: if you build bridges and work, plan and implement together, you don’t need buzzwords like DevOps or tools and training. I have experienced really strong specialist departments that work quickly, resiliently and proactively with IT and have their third-party providers under control. This was often the case in manufacturing, time-critical companies with production lines, where things are not discussed – they are simply done and you really want to avoid things going wrong. A well-managed concentration risk avoids relying too heavily on one provider.

DORA lists ICT third-party risk as a special focus area, which implicitly includes the aforementioned responsibilities of internal parties. Identifying the areas and their individual use of ICT services is also an integral part of the information register to be maintained.

5. Architecture – managing the interaction

Enterprise Architecture Management (EAM) has been defined for many years, if not decades, by tools and complicated frameworks. Hundreds of people went on TOGAF training courses, thought they had finally found the holy grail of business IT value with the latest EAM tool and sank millions into the next architecture project. However, it has been clear for some years now that only an EA approach that is supported throughout the company and is both desired and supported “from above” will really provide the leverage needed to achieve manageability.

DORA lists the topic of architecture in Article 6 on the context of the ICT risk management framework as the ICT reference architecture and requires the provision of corresponding documentation via the information register. Many banks are already familiar with the requirement for architecture documentation to ensure resilience from BaFin’s VAIT amendment from 2022 – this shows once again that DORA does not scare those who took action early on. After all, maintaining a central register of critical or material applications as a building block in risk management and reporting was already part of the requirements two years ago. The task now is to complete this by the end of the year – because the transition period for DORA ends in January 2025.

Resilience in concrete terms: which scenarios can be remembered and how likely are they?

I am often asked how likely certain situations are in concrete terms and how they can be countered using the measures described. So let’s assume that a company has made it to 2025 and is actually in a good position, has implemented resilience measures and the time has come – the next crisis is imminent. Here are 3 examples:

A. Data processing with a third country or provider under new contractual bases

As was recently the case in 2019 in the context of Schrems II, legal decisions can be made at virtually any moment, bringing ongoing projects or established processes to a standstill. If you can now clearly define which technologies, services and providers are covered by the current decision, you can react differently, faster and more efficiently. I experienced this myself in 2019 in a large cloud project and, to put it mildly, there was simply panic. Fortunately, as a consultant, I was part of finding a solution, not the problem. Being flexible and relying on standards helps to be able to move away from a provider again – or ideally to realign the services you use in a network of providers.

B. Jog4J 2.0: Central IT component is no longer secure, fails or has to be replaced

At the end of 2021, the time had almost come – “The internet is broken”, joked some – “Oh dear, where are we using it?”, sighed others. In the medical industry, managing the digital list of ingredients has long been a requirement of international authorities and approval procedures. Those who fail to identify components, middleware, purchased products and software modules quickly and comprehensively will not be spared the next hacker attack and will not keep their cybersecurity insurance. Specialized consulting firms and providers of penetration tests can help you get a thorough check-up from “good hackers” – just like a general inspection of a car.

C. Political or social crisis on a global scale (e.g. war, currency crisis or supply chains)

Whether it’s a pandemic, a blocked English Channel or the next presidential election – the status quo has never been as fragile as it is today. If you keep this in mind and consider the composition of business capabilities in the context of third-party providers, international relationships and data exchange beyond your own network, you will be in a completely different position than those companies that are suddenly no longer able to approach their known counterparts. Create scenarios, weight them, plan out cases and iterate several times a year. The next crisis is only a matter of time and will test your resilience!

Conclusion

So we can conclude: Resilience in the digital sector today is so much more than what was known 20 years ago. Current regulations such as DORA, directives such as NIS2 and our globalized, crisis-ridden world with interdependent ecosystems require us to constantly address the issue of resilience. Resilience affects power grids, payment service providers, IT departments and risk managers alike – if you know where your risk lies and your individual appetite, you are well prepared. Just don’t be blinded by the advertising promises of tool manufacturers, because every provider tries to sell their solution as the cornerstone of resilience. Therefore, pay attention to service providers who take a team approach and think tool-agnostically. Because there is no room for sensitivities here.

Philipp Schneidenbach

Philipp Schneidenbach ist Experte auf den Gebieten Enterprise Architecture, Governance, Risk und Compliance. In seiner derzeitigen Position bei Materna vereint er die Erfahrung aus mehr als 25 Jahren Beratung und Linienverantwortung in verschiedenen Industriezweigen und Märkten. Als Autor, Researcher und Speaker engagiert er sich unter anderem in Organisationen und Berufsverbänden wie der IEEE, ISACA und MoreThanDigital.