The Architect’s Guide to DORA Regulations and Their Impact on Enterprise Data Storage
The regulatory landscape is evolving rapidly, and the upcoming Digital Operational Resilience Act (DORA) in Europe is a testament to this dynamic change. We have multiple European banking customers and each one is approaching the problem from a slightly different angle with one exception - almost all of them are using modern object storage as the foundational layer.
For IT architects responsible for storing and managing the new data requirements mandated by DORA, we wanted to share their lessons learned in the hope that others might appreciate the nuances of this regulation and what it means for data storage strategies moving forward.
In this post, we'll break down the key elements of DORA, its impact on data storage, and why a modern object storage solution like MinIO is the best fit for meeting these new demands.
What is DORA?
DORA, or the Digital Operational Resilience Act, is a robust regulatory framework proposed by the European Commission. Its primary objective is to enhance the digital operational resilience of financial institutions within the EU, ensuring they can withstand and recover from all types of IT-related disruptions and threats.
Key components of DORA include:
- IT Risk Management: Establishing comprehensive frameworks to identify, mitigate, and manage IT risks.
- Framework: DORA mandates the implementation of a comprehensive and well-documented IT risk management framework. This framework should cover all aspects of IT, including security, data governance, and business continuity.
- Regular Assessments: Organizations must regularly assess IT risks and adapt their defense mechanisms to mitigate these threats effectively.
- IT Incident Reporting: Standardizing processes for reporting significant IT-related incidents to authorities.
- Mechanism: DORA requires the establishment of a robust incident reporting mechanism. Companies must promptly report significant cyber and IT-related incidents to the relevant authorities.
- Coordination: This facilitates a timely and coordinated response to threats, minimizing their impact on financial markets and consumers.
- Operational Resilience Testing: Conducting regular tests on IT systems to ensure resilience against disruptions.
- Testing Requirements: Companies must conduct periodic tests to assess their systems and processes' resilience to cyberattacks and other IT disruptions. This includes vulnerability assessments, penetration testing, and scenario-based exercises.
- Third-Party Risk Management: Managing risks associated with third-party IT service providers.
- Vendor Compliance: DORA focuses on managing and monitoring the IT risks arising from the large number of vendor relationships.
- Standards: Companies must ensure that their external vendors adhere to the same standards of IT risk management, including regular audits and compliance checks.
- Oversight Framework
- Critical Third-Party Providers: DORA introduces an oversight framework for critical third-party service providers, including cloud computing services. This ensures that these providers meet stringent standards for ICT risk management, reducing the systemic risk they pose to the European Union’s financial system.
- Governance and IT Risk Management: DORA places significant emphasis on the responsibility of the management body for ensuring digital operational resilience. Management must guarantee adequate protection against ICT disruptions and cyber-attacks.
Finally, while not a requirement, DORA does encourage companies to share information on cyber threats and vulnerabilities within a trusted community. This collective approach enables better preparedness and response to emerging ICT risks and bolsters the overall stability of the EU’s financial system.
Implications for Data Storage
DORA’s focus on ICT risk management, incident reporting, and operational resilience testing imposes significant requirements on data storage infrastructure. This is driving many enterprise architects to redesign their storage solutions to handle the increased data volumes, provide more robust security and, in the case of breach, support rapid data retrieval and recovery.
The teams we engage with are focused on the following areas:
- Scalability: Ability to seamlessly scale storage capacity across heterogenous hardware and across cloud environments (public, private, colo) to meet the bank's evolving needs.
- Performance: Gone are the days of cheap, deep and slow. Everything matters from a performance perspective. Application performance, throughput, IOPS and specifically for DORA RTO and RPO. No one likes to wait on a backup. No one CAN wait on a restore. This is something that DORA expects you to test and prove you can put the piggybank back together in hours, not days or weeks.
- Compliance: Storage solutions must support compliance with DORA's reporting and resilience testing requirements. This includes a testable framework. Open solutions have a huge advantage here.
Security: Advanced security is table stakes. What goes further? Well elements like a Key Encryption Service or a high availability Key Management Server or extensive functionality around state-of-the-art encryption schemes that support granular object-level encryption using modern, industry-standard encryption algorithms, such as AES-256-GCM, ChaCha20-Poly1305, and AES-CBC. It also means encrypting data inflight or at rest.
The Case for Modern Object Storage Solutions
Traditional storage solutions will struggle to meet DORA’s stringent requirements. They are weak in several key areas. Scalability is tough with finite capacities that require significant physical expansion, making it difficult to scale efficiently as data volumes grow. They are complex - managing and retrieving data in traditional hierarchical storage systems is cumbersome and time-consuming, especially as the amount of data increases. Traditional storage solutions have poor TCO, with higher maintenance and operational costs, including energy consumption and physical space requirements. Finally, they are mostly appliance driven, meaning they lack the flexibility needed to adapt quickly to changing regulatory requirements and technological advancements.This is where modern object storage solutions like MinIO come into play. The reason for architects will be obvious.
1. Software-Defined Flexibility
Software-defined storage solutions give enterprises the freedom to deploy on their own hardware in their own data center or colocation facility. This flexibility ensures that organizations can tailor their storage infrastructure to meet specific needs without being tied to proprietary hardware.
2. Performance
Performance is crucial for meeting DORA's operational resilience and incident reporting requirements. MinIO is designed for high-performance workloads, delivering fast data access and retrieval. Its high-throughput capabilities ensure that data can be quickly ingested, processed, and analyzed, supporting real-time operations and decision-making.
3. Scalability
Scalability is key as data volumes continue to grow. MinIO’s object storage architecture allows for seamless scalability, enabling enterprises to expand their storage capacity as needed. This scalability ensures that organizations can handle increasing data volumes without compromising performance or reliability.
4. Cloud-Native and S3 API Compatible
MinIO is cloud-native and fully compatible with the S3 API, making it an ideal choice for enterprises looking to integrate with existing cloud infrastructure and applications. This compatibility ensures that enterprises can leverage MinIO’s storage capabilities while maintaining interoperability with their cloud-native applications and services.
5. AI-Ready Storage
Artificial Intelligence (AI) and Machine Learning (ML) are becoming integral to financial services, providing insights and automation that drive competitive advantage. MinIO is AI-ready out of the box, offering the performance and scalability needed to support AI and ML workloads. This readiness ensures that enterprises can harness the power of AI without needing to overhaul their storage infrastructure. Want examples, check out the cool search tool here.
6. Simplicity in Deployment and Management
MinIO is renowned for its simplicity in deployment, operation, upgrade, and scaling. Its lightweight design and intuitive management interface reduce the complexity typically associated with storage solutions. This simplicity allows IT teams to focus on strategic initiatives rather than being bogged down by operational overhead.
Preparing for DORA with MinIO
DORA is here. Compliance starts in six months. MinIO deploys to production at financial institutions in half that time (if you want a great story, reach out to hear how we went from 0 nodes to 290 over a long weekend).
From Risk Management to Incident Reporting to Operational Resilience Testing, MinIO can meet the demands of the new regulations while providing the platform modern financial service institutions need to grow the business.
Feel free to drop us a note hello@min.io to engage with the team and learn what other major banks are doing.