Hello!
This is my first article on Medium!
Who am I?
I thought a lot about what to write first. Would this be my first article on a topic I’m interested in? Would I share an experience? Would I give some tricks that I use in my daily life?
Ultimately, I decided to be none of these things but to write something more personal. An introduction of who I am, get to know each other and explain what someone can expect to read from me.
First of all, my name is Michail. I work as a cybersecurity specialist most of the time, but I devote a bit of time to poetry and literature. I am a proud father of two children; when we are together, we become three children :p.
The blog’s primary focus will be cybersecurity issues in regulatory frameworks, such as DORA and the AI Act, and, in some cases, as a daily diary.
Now what?
Good. Now, what do we do? Of course, now we’re going to write about a topic. I will play it a little safe and write down some thoughts on the Digital Operational Resilience Act (DORA).
Let’s talk about DORA
DORA is now a European regulation that defines a clear, uniform, and structured risk management framework for credit institutions in the European Union. In a few days (15 January 2025), it will become mandatory for all EU Credit Institutions. Its main pillars, as formulated after much analysis, are,
1. ICT Risk Management
2. Incident Reporting
3. Digital Operational Resilience Testing
4. Management of Third-Party Risk
5. Information Sharing
However, the core of this regulation lies in organizations' risk assessment and resilience. All actions result in a risk assessment, which is recorded and measured over a continuous lifecycle and captures organizations’ resilience against threats.
This may sound like a nice, linear, and logical thing to do. Still, under the surface, the complexity it introduces to organizations and the compliance requirements make it quite a complex task. Most organizations went through a major shock with the pandemic and their digital transformation; the new threats and changes in consumer habits pushed them to change their structures and the way they work radically.
Time has never been an ally, and business must be seamless. Having now gone through a long adjustment phase, Credit Institutions have revised from the ground up how they operate to adapt while continuing to maintain the requirements of the other regulatory bodies to which they are subject.
All of this effort highlighted two significant problems.
Two problems
The first problem I have identified is the lack of capacity and staff to manage this transformation in the way we deal with risk. This shortage is because, besides strong technical skills, staff need to possess strong soft skills. Nowadays, harmonious communication between departments, smooth flow of information, and collaboration are cornerstones that enable risk analysts to have timely and accurate data to assess the risk and resilience of the organization. Considering that the landscape is dynamic and each day can strongly disrupt the assessments of the previous one, it is easy to see that this work now goes beyond what we call business hours.
The second problem is the inability of the European Union and its mechanisms to offer a set of tools to credit institutions to help them adapt or monitor their progress concerning the regulation. Many essential efforts have been made to model reporting and record information. Still, methods are being used that are now a thing of the past. For such an important and useful framework, a portal where everyone can fill in the information they need regarding DORA can upload the evidence and logs they must maintain. In this way, both Credit Institutions would be facilitated, and supervisors would have almost real-time qualitative and quantitative indicators of the situation in the Union. Instead, we are still in the era of massive records, many cells, and their exchange.
Conclusion
Beyond the problems, which I believe will be fixed in the short term, DORA is in the right direction. It creates new opportunities and strengthens organizations' cybersecurity. The race is a marathon at a sprint pace.
I am happy to be here :)
