The Digital Operational Resilience Act (DORA) is set to significantly impact the financial sector. Coming into full effect in 2025, this EU regulation will set new standards for information and communications technology (ICT) risk management. In this landscape, how can financial firms ensure they’re not only compliant, but also operationally resilient?
As regulations continue to take shape before implementation in 2025, analyst firms like Gartner, EY, and Deloitte recommend that organizations start preparing today. Read on to learn how Gremlin provides the tools and insights to help you navigate this new regulatory terrain with confidence.
The Digital Operational Resilience Act (DORA) is a groundbreaking regulation enacted by the European Union to address the growing challenges of digital security and operational resilience in the financial sector. Its aim is to ensure that financial entities operating within the EU adopt rigorous practices to safeguard their digital operations against potential threats and vulnerabilities. In a move to set stringent standards for digital operational resilience, the EU's DORA regulation focuses on four key pillars:
- ICT Risk Management & Governance: establishing clear processes and structures to manage and mitigate ICT-related risks within organizations.
- ICT Incident Reporting & Information Sharing: timely reporting and communication of ICT incidents to foster transparency and rapid response.
- Management of Third-Party ICT Risk: measures to assess and control risks associated with third-party vendors and partners in the digital ecosystem.
- Digital Operational Resilience Testing: regular testing to ensure ICT systems can withstand and recover from disruptions.
The Digital Operational Resilience Testing pillar is where resilience and reliability platforms like Gremlin come into the spotlight. With an evolving digital landscape, it's crucial to have tools that not only address present challenges but are agile enough to adapt to future ones, particularly for sectors as dynamic and critical as finance.
Gremlin has been helping organizations build digital operational resilience since our founding. We were built on the experiences our founders had at companies like Amazon and Netflix to ensure applications stayed up and available to users—no matter what. We started with Chaos Engineering, a practice that purposely injects faults in a system to better understand how that system responds. Working closely with many of the world’s largest financial services organizations, including 5 of the 7 largest U.S. banks, Gremlin has evolved to include reliability management features that enable highly-regulated organizations to also consistently test for and prove resilience to various failure conditions at enterprise scale.
While no vendor can solve all four pillars of DORA, Gremlin can help financial firms tackle the complexities of the Digital Operational Resilience Testing pillar by offering:
- Resiliency Testing: Simulate potential ICT issues with fault injection experiments and reliability tests to proactively identify system vulnerabilities.
- Resiliency Reporting: Meet DORA’s anticipated reporting requirements with data-backed evidence of your digital operational resilience.
- Organizational Resilience Exercises: Train your incident response teams through real-world simulation exercises to ensure you have the right monitors, people, and runbooks in place.
Gremlin includes pre-built test scenarios designed to meet the unique challenges of the financial sector, automated evidence gathering for stress-free compliance, and comprehensive, organization-wide reporting that provides a 360-degree view of your system's resilience risks and governance.
Navigating the intricacies of DORA compliance may seem daunting, but with the right tools and a structured approach, firms can effectively address the regulation's requirements. Here are three steps using Gremlin to prepare for DORA's resilience testing pillar.
The first step towards DORA compliance with Gremlin is articulating your resilience objectives and controls and turning these into actionable test scenarios. Gremlin's platform allows you to create a range of tests tailored to these objectives, including scenarios based on past incidents that have impacted your organization, common disaster scenarios within the financial sector, and industry best practices. Many of these test scenarios, based on the requirements from global financial institutions, are already available within Gremlin and can be customized to your specific requirements.
Gremlin uses a technology called Fault Injection, part of a practice known as Chaos Engineering, to safely and securely inject faults in systems to observe the result. If that sounds scary, it shouldn’t be—this practice is already in use by the world’s largest and most regulated banks, airlines, telecom companies, and more.
With Gremlin, you're not limited to a predefined set of conditions. You can articulate exactly what scenarios you want to test for resilience. Whether it’s losing a third-party dependency, evacuating an availability zone, or failing over from one cloud provider to another, Gremlin enables you to get started with tests aligned to DORA requirements and also construct highly customized tests that address your unique risk profile.
Operationalizing resilience testing is crucial for ensuring that you're able to deploy tests safely and at scale. Unlike other tools that offer Fault Injection features, Gremlin is distinct in its capability to operationalize resilience testing across large organizations and diverse technologies, including all cloud providers, containerized environments, VMs, bare metal, serverless, and more. This begins by defining the scope of your testing plan and adding your in-scope services and applications to Gremlin, which will automatically detect and add any internal and third-party dependencies—a key focus of DORA regulations. This process can be automated
Once your services and dependencies are mapped, you can roll out standardized test suites across your organization. Gremlin’s extensive integrations with observability tools minimize the need for manual oversight, providing a clear pass/fail result on your tests. This allows you to shift from ad-hoc, manual testing to a more systematic, organization-wide approach. You get to decide on the cadence of your resilience testing: whether it's large manual activities quarterly or annually, or automated testing that happens every week or with every deployment.
Compliance with DORA will require more than just conducting tests. You'll also need to gather evidence to satisfy auditors and regulators. Gremlin helps you fulfill this requirement through its automated reporting capabilities. With every test run, Gremlin captures essential data that can be used as evidence of your compliance efforts. This ensures that you’re not just meeting internal benchmarks, but are also able to provide data-backed proof of your ICT resilience.
Centralized dashboards and reports offer insights into the health and resilience of both individual teams and the organization at large. This is crucial for ongoing monitoring and for making informed decisions on where to focus future resilience efforts. As an area Gremlin is actively investing in, you can anticipate even more advanced reporting capabilities tailored to compliance needs in the near future.
DORA is more than a regulatory requirement—it’s a catalyst for enhancing digital resilience in the financial sector. By partnering with Gremlin, you can move beyond ticking compliance boxes and build a robust ICT infrastructure capable of weathering digital disruptions.
Gremlin provides valuable resources to get you started on your DORA compliance journey. Start by discussing DORA compliance with a Gremlin reliability expert or download our enterprise resiliency testing whitepaper to learn more.