The Digital Operational Resiliency Act (Regulation (EU) 2022/2554), also known as DORA, addresses a critical issue within EU financial regulation and demands immediate attention from QA engineers both within the EU and globally. Technology underpins many complex systems used in the finance sector and across the modern world. This increased digitalization heightens IT risks, making society more vulnerable to IT risks and cyber threats. While the ubiquitous use of IT systems and connectivity are core features of financial institutions, their digital resilience has not yet been fully addressed and integrated into broader operational frameworks. DORA aims to rectify this discrepancy by establishing a universal framework for managing and mitigating IT risk within the finance sector. DORA sets out a minimum requirement for risk management rules in the EU and other participating states. This baseline set of rules will simplify compliance for financial entities while enhancing the resilience of their financial systems.
The broad sweeping impact of DORA
The scope of DORA extends to all financial institutions within the EU and participating countries. This includes traditional financial institutions such as banks, investment firms, and credit institutions, as well as newer, non-traditional financial entities like crypto-asset services and crowdfunding platforms. Most notably, DORA applies to all third parties that banks use in their infrastructure. The potential penalties for companies found non-compliant could, in some cases, be criminal, depending on the member state.
Potential Global implications
Readers from outside the EU might be wondering why this regulation matters to them. The reason is that these regulations are planned to be mirrored in the UK and are likely to be adhered to globally. Taking this into account, it is imperative that all participants in the fintech world are aware of this change and stay ahead of the curve.
Adapting QA practices for DORA compliance
Knowing that these changes are coming, how can QA engineers stay ahead in an increasingly complex regulatory environment? It is essential for all QA engineers to have comprehensive documentation covering all aspects of the software development life cycle, which can provide the support team with the necessary assistance during an incident. Moreover, all third parties used will need to be tested using a variety of non-functional testing techniques. In addition to the above, given that the role of QA is set to change drastically over the next two years, automating as many test cases as possible is important. Cloud-based automation solutions will be preferred, as they can decrease the human error introduced in network management and reduce the time required to provision services and resolve network and security issues. Finally, a wide range of resilience and reliability testing, including endpoint security testing, will also need to be conducted. Given the short timeframe in which companies will have to adjust once the regulation is finalized, it’s crucial for companies to act now to avoid unmanageable backlogs that may lead to fines.
Conclusion
The Digital Operational Resiliency Act heralds a paradigm shift within the fintech arena and necessitates action from all companies and QA engineers. Proactive measures, including documentation reviews, third-party testing, resilience and reliability testing, and automation solutions, are crucial. These are important not only for meeting regulatory standards but also for fortifying operational resilience. The sooner companies react to the upcoming changes, the better.
For further reading for QA’s read this article on resiliency testing and a template to guide you to implementation
If you would like to stay ahead of the upcoming changes with DORA and how it may affect your business, please reach out to us at qabound.com We can guide you through the infrastructure required for your specific business needs and implement it for you.