Enacted by the European Union, the Digital Operational Resilience Act (DORA) establishes new standards for digital operational resilience in the financial sector. DORA changes the financial sector's approach to digital security and resilience by imposing stringent Information and Communication Technology (ICT) risk management, incident reporting, third-party risk management, and regular testing.

Gremlin’s Reliability Management Platform helps organizations meet DORA requirements by automating the tracking, monitoring, and testing of ICT services and infrastructure for resiliency risks. Financial firms can strengthen the reliability posture of their ICT infrastructure by streamlining digital operational resilience testing, enhancing capacity and performance management, and automating business continuity planning and testing.

If your organization is subject to DORA, read on to explore five areas Gremlin can efficiently help meet DORA requirements. 

1. Digital Operational Resilience Testing

A key focus of DORA is regular digital operational resilience testing, including penetration testing and scenario-based exercises to test monitoring, business continuity, and disaster recovery. This requirement is one of the original pillars of DORA, and is reflected in many of the additional requirements below. 

Gremlin helps with digital operational resilience testing with two key capabilities: fault injection scenarios and reliability tests. Scenarios and tests are both based on Gremlin’s fault injection technology, which safely introduces controlled, expected failures into systems. This enables organizations to:

  1. Safely and securely simulate infrastructure, network, and service-level incidents and outages they are likely to see in the real world. 
  2. Validate capacity management to ensure systems scale up and down as demand changes.
  3. Validate incident detection and response to confirm that monitors are effectively seeing issues they should be, and that the organization is responding as defined in incident plans. 
  4. Validate and improve disaster recovery and business continuity plans with experiments and to ensure systems behave as expected. 

Relevant DORA guidelines:

  • Article 9: Capacity and performance management
  • Article 16: ICT systems acquisition, development, and maintenance
  • Article 17: ICT change management
  • Article 25: Testing of the ICT business continuity plans

2. Capacity and Performance Management

DORA requires firms to apply resource optimization and monitoring procedures to maintain and improve availability and prevent ICT capacity shortages.

Gremlin helps meet DORA's capacity and performance management requirements with reliability tests that cover capacity and performance issues. These tests can help you:

  1. Verify resources can scale to meet demand and eliminate capacity shortages. 
  2. Ensure systems are architected for high-availability and redundancy, with plans to handle disruptions without impacting financial transactions. 
  3. Verify capacity-related and performance-related monitoring and alerting is functioning as expected.

Relevant DORA guidelines:

  • Article 9: Capacity and performance management

3. Business Continuity Planning and Testing

The Act requires firms to test business continuity plans (BCP) to ensure their effectiveness regularly, at least once per year or following major plan changes.

Testing must be performed on the basis of test scenarios that simulate potential disruptions, including an adequate set of severe but plausible scenarios. This would include failures of third-party services providers, switchovers to redundancy capacity and facilities, and widespread power outages. 

Gremlin helps meet DORA's business continuity planning and testing requirements through fault injection scenarios. These scenarios enable organizations to:

  1. Test BCP plans by replicating common and expected ICT failure modes, including scaling for additional capacity, failover to redundant zones or regions, and the loss of third-party service providers. 
  2. Run BCP scenarios, validate runbooks, and measure key metrics such as time to detect and time to resolve.

Relevant DORA guidelines:

  • Article 24: Components of the ICT business continuity policy
  • Article 25: Testing of the ICT business continuity plans
  • Article 26: ICT response and recovery plans

4. Incident Detection and Response 

DORA requires firms to generate alerts for anomalous activities and behavior affecting the completeness and the integrity of the data sources or log collection. Firms must manage ICT incidents within the expected resolution time both during and outside working hours.

Gremlin helps meet DORA's incident detection and response requirements with fault injection capabilities. Fault injection safely introduces controlled, expected failures into systems, enabling organizations to:

  1. Verify monitoring, alerting, and logging is functioning as expected when failures are present.
  2. Ensure expected system behavior is observed, and the organization can react appropriately to meet RTO and RPO targets. 

Relevant DORA guidelines: 

  • Article 13: Network security management
  • Article 23: Anomalous activities’ detection and criteria for ICT-related incidents’ detection and response

5. Mapping of Interdependencies and Third-Party Risk Management

DORA requires financial firms to identify and take into account their reliance on interdependencies throughout the act. 

Gremlin helps with interdependencies and third-party risk management with automated dependency discovery technology, which identifies dependencies based on network traffic, and reliability tests, which tests systems against disruptions to those dependencies. This enables organizations to:

  1. Discover and map all service dependencies, both owned and third-party, by examining network traffic. 
  2. Enable testing to ensure services can withstand the loss or latency of these services.
  3. Deploy Gremlin to third parties to ensure they meet the same high resilience standards at the primary institution. 

Relevant DORA guidelines:

  • Article 4: ICT asset management policy
  • Article 16: ICT systems acquisition, development, and maintenance
  • Article 17: ICT change management
  • Article 24: Components of the ICT business continuity policy
  • Article 25: Testing of the ICT business continuity plans

Using Gremlin for DORA: Fewer resources, comprehensive test coverage, and less risk

Gremlin has been helping leading global financial services institutions build and validate resilient systems since 2016, and is working closely with large financial firms, analysts, and consultants to implement effective resilience practices to meet the requirements of DORA and other frameworks.

While DORA doesn’t require the use of a specific tool, organizations can significantly reduce the cost, complexity, and risk exposure of meeting DORA requirements by using a reliability platform like Gremlin. The organizations we work with tell us Gremlin helps in three areas:

1. Fewer engineering resources required

Meeting DORA’s stringent testing requirements with manual or open-source testing tools takes significant time and comes with a steep learning curve. Prior to using Gremlin, institutions regularly took 12 months or more to plan Disaster Recovery scenarios. With built-in test suites and automation that come standard, Gremlin significantly reduces and often eliminates the time to plan and test.

2. Coverage for on-prem and cloud environments

Most financial institutions have ICT systems spread across a variety of legacy on-prem and newer cloud infrastructure. All of this infrastructure needs to be tested, which introduces complexity and duplicate work.

Gremlin can be deployed to both on-prem and cloud infrastructure, such as VMs, Kubernetes, Windows, bare metal, and even serverless environments like AWS Lambda. With Gremlin you can design scenarios and test suites once, then deploy them across your infrastructure for complete coverage.

3. Focus on safety and security

DORA requires organizations to test their systems by intentionally introducing real-world failures. This form of testing—especially when done with manual scripts or open-source tools—inherently introduces risks, such as larger-than-intended incidents and challenges in rolling systems back to a steady state. 

Gremlin treats safety and security as first-class citizens, ensuring the intended impact of tests is limited, immediately halting tests if health checks fail or network connections are disrupted, and rolling back systems to steady state automatically. Further, Gremlin has passed the security assessments of many of the world’s largest financial institutions, and can be deployed as a SaaS platform or within your firewall as a self-managed offering.

To learn more, apply for early access to our DORA-specific resilience test suite to see how Gremlin can help with DORA compliance at your organization. 

No items found.
Ryan Detwiller
Ryan Detwiller
Director of Product Marketing
Start your free trial

Gremlin's automated reliability platform empowers you to find and fix availability risks before they impact your users. Start finding hidden risks in your systems with a free 30 day trial.

Get Ready for DORA

Download our guide to understand DORA requirements and how Gremlin's capabilities align.

Read Gremlin for DORA