Agile DORA Compliance

Stephan Eggermont

2 min read
Share

The Digital Operational Resilience Act (DORA) forms the legal framework for the digital resilience of financial institutions in the EU. In the Netherlands, De Nederlandsche Bank (DNB) together with the Authority Financial Markets (AFM) are responsible for supervising this regulation. To avoid compliance theater, DORA requires not just paper based compliance, but includes operation resilience testing. What do we need to do to achieve real world compliance?

Go and see for yourself

One of the management principles described by Jeffrey Liker in the Toyota Way is Genchi Genbutsu, go and see for yourself to thoroughly understand the situation. That is what is needed to solve the problems that people tend to otherwise work around.

On his earlier blog, Kent Beck described how he got management and software development teams together and asked them to make a single line code change and make sure that got to run in production. They were only allowed to work on that, and on helping to make that go faster. That made it easy for everyone to see where a bottleneck was and remove it. And then to repeat that process with the next bottleneck.

Some time ago, the energy supplier where I was working at the time, had a big administrative problem dealing with people moving. It got them lots of attention on national consumer television. Only when the CEO got to see how a customer service representative had to make changes in over 40 pages in SAP to correctly process a customer moving, did he realize how error prone that process was and did the budget get released to automate that for all the common cases.

In both cases this finally helped the signals from the work floor reach the level where the needed decisions could be made.

How can we apply this principle to DORA?

DNB indicates in their supervisory strategy that they will focus on the consequences of the increasing geopolitical tensions and the consequences of cloud computing and outsourcing.

Recently the case of the International Criminal Court has raised awareness of this. It had been using Microsoft technology, presumably hosted in the EU. US President Trump interfered in the work of the ICC and imposed sanctions on its prosecutors. That resulted in Microsoft withdrawing access to their accounts. The work of the ICC is severely impacted and it had to move its email and office suite to a local open source provider.

Other recent cases are the sharing of emails and names of AP and ACM civil servants involved with the DSA by Microsoft with the US House of Representatives due to the US Cloud Act and the sudden restricting of Anthropics new LLM model to US companies. Earlier there were already worries and questions over our dependencies on Chinese technology.

A useful exercise to really understand what dependencies there are on US (and other) services and technology would be to take a detailed look at those dependencies and disable them.

Start with what the organization can still do, and identify a small change that has a large impact on the essentials that the organization need to do. That

The resistance against testing this with the real production systems will tell most organizations a lot about how ready they are to be really compliant. Role playing this on paper is a safe first step.

Feeling lost in how to achieve sufficient digital sovereignty and need some help? Contact me

Read more