The financial sector is facing increasing pressure to improve its digital resilience, and the EU’s Digital Operational Resilience Act (DORA) is setting the standard. The DORA Act requires financial institutions to have robust business continuity plans in place to withstand disruptions and maintain critical operations. However, with downtime costs reaching astronomical figures (Gartner estimates $5,600 per minute!), the question is how organizations can ensure continuity.
This article explores how Google Workspace can serve as a cornerstone of your business continuity strategy. You will learn how Workspace can help you meet DORA (or NIS2 or similar) requirements and mitigate the risks of operational disruptions.
Fact box – central concepts
What is DORA?
The Digital Operational Resilience Act (DORA) is an EU regulation that aims to strengthen the digital resilience of financial services. It ensures that financial institutions can withstand and manage cyberattacks and other forms of IT-related disruption.
DORA is part of the EU’s wider Digital Finance Package initiative, which was presented in 2020. The EU adopted the regulation in 2022.
DORA act ensures that financial institutions have robust IT systems and procedures in place to protect themselves against IT threats and risks that could affect their operations and stability. It applies to a wide range of financial actors, including banks, insurance companies, investment firms, and payment providers, as well as their IT suppliers and third-party service providers.
The key elements of DORA include:
- Risk monitoring and management: Financial institutions must implement systems to monitor, manage, and mitigate IT risks across their organisations.
- Incident handling: Organisations have to handle incidents and make the necessary reporting incidents to the relevant authorities within a short timeframe.
- Cybersecurity testing: Financial institutions must regularly test their IT systems to ensure they can withstand cyberattacks and other digital threats. (Read the ebook: ensuring cyber compliance with Dora)
- Third-party IT vendors: DORA also emphasises risk management concerning third-party IT vendors. Financial institutions must ensure that their IT suppliers meet the same standards for IT security.
- Information sharing: Organisations have to report significant cyber incidents to the relevant authorities within a short timeframe.
The DORA regulation aims to harmonise the approach to cybersecurity in the financial sector across EU countries, creating greater security and stability in the digital financial ecosystem. Are you interested in learning more about DORA compliance? Check our expert view!
What is business continuity?
Business continuity refers to an organisation’s ability to maintain essential functions during and after a disruptive event. It involves a proactive approach to risk management, encompassing strategies for preventing, mitigating, and recovering from disruptions. Key components of business continuity include:
Testing and Maintenance: Regularly reviewing and updating plans to ensure their effectiveness.
Risk Assessment: Identifying potential threats and vulnerabilities.
Business Impact Analysis: Evaluating the potential impact of disruptions on critical business processes.
Recovery Strategies: Developing plans and procedures for restoring operations.
Business continuity is central to DORA act
DORA is many things, and one of the most important is continuity management. In particular, the first pillar, “Risk Monitoring and Management,” is about monitoring and mitigating critical business components.
The aim is to ensure that financial institutions are prepared and have a structured approach to managing both expected and unforeseen IT risks. This builds confidence in systems and reduces the likelihood of serious disruptions. It also protects customers and the economy from the consequences of technology failures or cyber-attacks.
The EU’s Digital Operational Resilience Act (DORA) regulation, risk monitoring, and management ensure that financial institutions and their IT suppliers have structures and processes in place to identify, assess, manage, and mitigate digital risks. This is central to the regulation because financial institutions rely heavily on IT systems and digital infrastructure. This, in turn, makes them vulnerable to cyber threats and technical failures.
Institutions must put systems in place to continuously monitor and assess the IT risks they face. This includes understanding their dependencies on technology and digital systems and identifying potential weaknesses, threats, and vulnerabilities.
- This includes internal systems as well as third-party systems.
- Procedures must be developed to minimise the risk of IT incidents and to ensure that any incidents are handled effectively.
Financial institutions must ensure that critical business functions can continue during or after an IT incident. This includes ensuring that their IT systems are designed to be robust and resilient to technical failures, cyber-attacks, or other disruptions.
DORA requires financial institutions to have business continuity and disaster recovery plans in place. These plans must ensure that the organisation can quickly restore its digital services and operations in the event of a major disruption. Continuity plans must be tested and updated regularly.
The role of top management in DORA Compliance
DORA act requires senior management in financial institutions to take responsibility for the overall management of IT risks. This means that the board of directors and senior management must be actively involved in setting risk management strategies and ensuring that the organisation follows the necessary rules and policies.
Here are the biggest reasons why:
- DORA Article 5 makes top management accountable for a Holistic Multi-Vendor Strategy. The Article 29 requires concentration risk management (so Cloud Strategy becomes Multi-Cloud Strategy):
- DORA Article 6 makes top management accountable for using and maintaining reliable, scalable, and resilient systems, appropriate to the nature, variety, complexity, and magnitude of their operations (Data Centre Migration, App Modernisation, Data Estate Modernisation)
- DORA Article 7 makes top management accountable for the identification of Information Assets that are worth protecting, requiring a business outcome of effective Shadow IT risk management (Appsheet for Citizen Developers, Apigee to avoid API Sprawl etc.)
- DORA Articles 8, 9, and 10 make top management accountable for the Protection, Prevention, Detection, Response, and Recovery of systems, which requires a business outcome of End-to-end Security Operations (Security Foundations, Mandiant)
- DORA Article 11 makes top management accountable for the ICT business continuity policy through dedicated, appropriate, and documented arrangements, plans, procedures, and mechanisms to ensure the continuity of the financial entity’s critical or important functions (Workspace)
- DORA Article 28 makes top management accountable for identifying alternative solutions and developing transition plans enabling them to remove the contracted ICT services and the relevant data from the ICT third–party service provider and to securely and integrally transfer them to alternative providers or reincorporate them in–house (Sovereignty Solutions)
The critical role of email and messaging
Email and messaging a key systems that form the foundation of digital collaboration and communication. Large businesses rely heavily on digital communication tools like email and messaging platforms like MS Teams, Slack, etc. These tools are the backbone of collaboration, facilitating everything from virtual meetings and file sharing to internal communication and project management. Imagine the upset if these systems were suddenly unavailable. Projects would come to a standstill, internal communications would be unavailable, and productivity would plummet as a result.
While the extent of this reliance varies across industries, the underlying vulnerability remains. Even in Denmark, where secure alternatives like Netbank and “My Site” offer encrypted communication options, the reality is that many organisations still default to email. This often leads to overlooking GDPR requirements when sharing sensitive data.
The truth is, that platforms like Office 365 and Google Workspace have become critical infrastructure for most businesses. Disruption of these services would paralyze many organisations, hindering their ability to communicate internally and with external partners. This dependence creates a single point of failure, leaving businesses vulnerable to technical issues, cyberattacks, and other unforeseen events. All that could disrupt these essential services.
This underscores the importance of including robust backup solutions in any comprehensive business continuity plan. Relying solely on a single provider, even one as large as Microsoft or Google exposes organisations to significant risk.
Diversifying with a secondary cloud provider or implementing an on-premises backup system provides a critical safety net. It ensures that communication and collaboration can continue in the face of unexpected disruptions.
Google Workspace as business continuity in an O365 world
Ensuring robust business continuity requires a comprehensive understanding of potential vulnerabilities within your IT infrastructure. While a detailed analysis is beyond the scope of this article, it’s crucial to be aware of common single points of failure that can disrupt operations. These can include reliance on specific mail-receiving servers, identity providers, and integrated 3rd party services.
To combat this and establish robust business continuity, Google Workspace introduces a continuum of three options ranging from basic to extensive. Additional add-on options include emergency Chromebooks and Chrome OS Flex. Cost drivers for these options are primarily influenced by data backup/sync frequency and the size of the data collection.
Migrating to Google Workspace for enhanced business continuity requires careful planning and execution. Organisations must assess three core segments.
- First, establish the foundation of your Google Workspace environment. Map out domain structure, plan your deployment strategy (phased rollout, incremental migration, or complete switchover), ensure seamless integration with existing infrastructure (directory services, authentication systems), and configure robust security measures (two-factor authentication, data encryption, access controls).
- Second, strategically consider how to approach the migration of your mail, calendar, and contact data. This involves crafting a comprehensive email migration plan with appropriate tools, setting up efficient synchronisation (such as GCDS) for calendars and contacts, and ensuring coexistence capabilities for a smooth transition.
- Finally, plan your file migration (G Suite Migrate), including a detailed data migration strategy, a clear and logical Google Drive structure, configured collaboration settings, infrastructure hosting, and appropriate security measures and backup procedures for your data.
Google provides funding opportunities to support organisations in implementing Google Workspace as a business continuity solution. This financial assistance can help alleviate the costs associated with setup, migration, and ongoing maintenance.
Devoteam has a proven track record of successful implementations of Google Workspace as a business continuity solution in EMEA. Specific customer names cannot be disclosed due to confidentiality and security reasons.