In January 2025, the European Union (EU) will begin enforcing a new regulation called the Digital Operational Resilience Act (DORA). The DORA regulation mandates sweeping cyber resilience requirements for financial institutions and third-party information and communication technology (ICT) providers.
In this blog post, we examine how two core Perforce offerings help financial institutions and their supporting ecosystem of service providers comply with the requirements laid out in the DORA regulation.
What is the Digital Operations Resilience Act (DORA)?
The DORA regulation’s primary aim is to strengthen the cybersecurity of financial institutions, insurance companies, and investment firms operating in the EU. It also seeks to strengthen the resilience of Europe’s financial sector as a whole.
The DORA regulation includes four major mandates:
- Harmonizing legacy ICT regulations.
- Strengthening ICT risk management.
- Improving catastrophic failure response.
- Scrutinizing third-party providers and supply chains.
DORA Regulation: Harmonizing Legacy ICT Regulations
Before the DORA regulation was proposed in September 2020 and adopted in November 2022, the EU had a patchwork of different ICT risk management mandates. DORA consolidates these rules into a single, consistent regulation. The new regulation will both improve the EU financial sector’s cybersecurity posture and make it easier for financial institutions to comply with regulations.
DORA Regulation: Strengthen ICT Risk Management
An institution’s risk management framework is an essential component of their cybersecurity processes. Predictably, the DORA regulation requires organizations to reinforce their ICT risk management frameworks. This includes identifying potential risks, implementing preventative measures, and establishing incident recovery plans.
DORA Regulation: Improve Catastrophic Failure Response and Reporting
IT issues can cause severe operational disruptions in organizations regardless of their industry. The causes of these issues include cyberattacks, technical glitches, and other unplanned outages. The DORA regulation mandates that financial institutions strengthen their resilience against IT issues, improve reporting capabilities and share information more effectively. In other words, they must improve their ability to withstand catastrophic failures — or at least bounce back quickly from them if hit and communicate effectively with regulators and the general public.
New DORA Regulation: Introduce Third-Party Risk Management
Moving forward under DORA, enforcement authorities will be scrutinizing third-party providers’ products, internal processes, and controls. Authorities may require additional security documentation and testing to ensure that relevant business processes meet DORA standards. As a result, financial institutions have begun increasing their stringency in assessing and managing vendor-related risks to ensure they comply with DORA.
Get DORA Ready: Avoid Penalties and Stay Secure
Non-compliance with the European Union's Digital Operations and Resilience Act (DORA) risks large fines and painful recovery. But compliance doesn't need to be complicated. Get expert guidance on how to implement DORA compliance across your infrastructure while saving time and money with this eBook.
5 Ways Perforce Helps Institutions Comply with the DORA Regulation
The DORA regulation mandates that financial institutions build and implement a right-sized ICT risk management framework that evolves as the business grows and threats change. This requires financial institutions to improve their infrastructure security and their software security.
Partnering with Perforce will help your financial institution strengthen infrastructure security and software security in compliance with the DORA regulation. You’ll be able to protect financial systems and data from development, test, and integration environments through live production environments. As a result, you’ll be able to minimize the attack surface and accelerate the testing and deployment of remedial measures.
How will you be able to do this? Using Perforce Delphix and Perforce Puppet will help your financial institution comply with the DORA regulation by enabling five key actions:
- Continual identification and remediation of software vulnerabilities.
- Continual identification and remediation of system vulnerabilities.
- Moving sensitive data compliantly, securely, and cost-effectively.
- Reducing critical business disruption recovery time to restore transactional integrity.
- Reducing critical business disruption recovery time for conducting forensic audits.
1. Continual Identification and Remediation of Software Vulnerabilities
The DORA regulation seeks to reduce cybersecurity vulnerabilities across financial institutions. Perforce automates security and configuration hardening to enable continual identification and remediation vulnerabilities. This enables financial institutions like yours to strengthen ICT risk management frameworks.
The Delphix DevOps Data Platform virtualizes databases and allows for efficient storage and version control of all virtual databases. This helps organizations identify vulnerabilities in applications and enables swift, reliable application recovery in the event of a cyberattack.
2. Continual Identification and Remediation of System Vulnerabilities
Under the DORA regulation, it’s just as important for financial institutions to secure systems and hardware as it is for them to secure software. Puppet automates infrastructure security hardening to secure servers, networks, apps, databases, and more against vulnerabilities and attack. Hardening systems lets financial institutions like yours remediate vulnerabilities before they can be exploited by threat actors or cause business interruptions.
3. Moving Sensitive Data Compliantly, Securely, and Cost-Effectively
Under the DORA regulation, it is important for financial institutions to limit access to their sensitive data and be able to create an audit trail. When data needs to be moved it should be done securely and in a compliant manner. This is especially critical as sensitive data volume increases. In a recent 2024 State of Data Compliance and Security Report, 75% reported an increase in sensitive data. And 91% are concerned about this increased exposure footprint.
Delphix helps financial institutions like yours accomplish this in a few ways with data compliance and security solutions. Data managers can use Delphix to automatically create full copies of production datasets whose sensitive data values are replaced with realistic but fictitious values. This is also known as static data masking (or data masking).
Masked data maintains referential integrity and remains production-grade. Automation reduces the chance of human error. It also has the added advantage of being very cost-effective when done at scale.
Delphix can automate sensitive data masking at scale and across your applications. Data masking via Delphix reduces the needs for data waivers and the use of real production data in non-production environments. This is a critical risk mitigation factor, since non-production environments may be less protected than production environments.
This improves test quality while minimizing the chance of sensitive data leakage.
Once data is masked, the Delphix platform accelerates the delivery of masked test data to testing and QA teams at enterprise scale. The high quality of masked data minimizes the risk of bugs slipping into production environments. This ensures data security while also mitigating catastrophic failures.
DORA and Protecting Sensitive Data & Infrastructure at Scale
The DORA enforcement deadline is coming up. Hear from experts on how to keep your sensitive data and infrastructure resilient, secure, recoverable, and DORA-compliant.
4. Reducing Critical Business Disruption Recovery Time to Restore Transactional Integrity
The DORA regulation mandates that financial institutions be able to recover quickly from cyberattacks and other critical business disruptions. A key component of bouncing back is the ability to restore the last known good state.
Delphix allows your systems to be restored in a break-fix environment to an exact point in time in a matter of minutes. Systems can be restored down to the individual transaction, irrespective of the data footprint. This greatly reduces the mean time to investigate and allows responder teams to test fixes in isolation before they are applied to production. 
5. Reducing Critical Business Disruption Recovery Time for Conducting Forensic Audits
Under the DORA regulation, it’s critical for financial institutions to quickly undertake a forensic analysis following a cyberattack. Puppet minimizes the amount of time it takes to commence such an audit of infrastructure following a critical business disruption.
Critical business disruptions may change a financial institution’s infrastructure configuration. Puppet also ensures consistent system configuration at scale. This allows financial institutions to ensure their infrastructure’s desired state, which can be tailored to suit various risk postures, including CIS benchmarks or regulations such as DORA or GDPR. If a vulnerability arises, Puppet can revert infrastructure back to its desired state to address the vulnerability.
Make DORA Regulation Compliance Easier With Perforce
EU authorities are set to begin enforcing the DORA regulation in January 2025. In the coming months, organizations will need to ensure that they fully meet the DORA Act’s standards. By using Perforce solutions, your organization can strengthen its ICT risk management framework, boost its operational resilience, and accelerate innovation.
Delphix for Data Privacy Compliance
Delphix eliminates sensitive data risks in non-production environments, while accelerating innovation in software development, analytics, and AI. When you use Delphix, you’ll automatically discover sensitive data. That data gets replaced with fictitious, production-like data, using a rich library of pre-built, and customizable algorithms. This ensures data utility and referential integrity across your data sources from on-premises to cloud.
Delphix effectively scales from the smallest SQL server to massive analytical sources (like Snowflake and Databricks). Delphix then delivers secure data rapidly and automatically to downstream teams — when and where they need it — to shift left and improve quality.
With Delphix, you don’t need to choose between compliance and software speed. Your organization can achieve data compliance while accelerating speed and quality of software development and analytics initiatives. No trade-offs necessary.
Puppet for Infrastructure Stability
Puppet Enterprise’s secure infrastructure automation and robust configuration management capabilities enable desired state enforcement across complex hybrid infrastructure. Using Puppet helps teams increase efficiency and velocity while maximizing resources.
With Puppet, your teams can enforce their desired state at any scale anywhere with configuration as code. It helps your organization efficiently bring new and existing compute resources into compliance continuously while quickly updating them whenever policies change. This also helps you easily demonstrate continuous compliance to auditors. Using self-enforcing policy as code, Puppet makes compliance manageable with unified control and visibility across clouds and data centers.
Additionally, Puppet’s Security Compliance Enforcement feature enforces hardened security baselines from respected sources such as CIS and DISA across heterogeneous Windows and Linux distributions on-premises, in the cloud, and in hybrid setups. This saves organizations the time of manually coding compliant configurations for each OS in their Puppet infrastructure.