How to ensure your infrastructure complies with DORA
Author: Joe Peck
In this exclusive article for DCNN, Chris Noon, Director of Solution Engineering, International at Alkira, outlines how financial institutions must embed security, resilience, and transparency into their network infrastructure to meet the demands of DORA:
Rethinking network infrastructure
The Digital Operational Resilience Act (DORA) marks a major change in how the European financial sector manages technology risk. Instead of focusing only on solvency, DORA emphasises keeping digital services running smoothly. For enterprise organisations, this means every part of the technology stack, especially the network infrastructure connecting cloud environments and data centres, must be reviewed with operational resilience and security in mind.
With this new framework, financial institutions are ultimately responsible for their digital resilience, even as they rely more on a complex network of ICT third-party service providers. To manage this, IT and compliance teams need to shift from reactive security to building systems where resilience is built in from the start.
The core pillars of DORA compliance
DORA requires financial organisations to have a complete strategy for managing ICT risks. This strategy should address five main areas: ICT risk management, incident reporting, operational resilience testing, third-party risk management, and information sharing.
From an infrastructure point of view, the regulation says organisations must treat their network and cloud providers as essential parts of service delivery. IT teams should make sure providers go beyond just offering a service-level agreement and also give clear information about how their systems are built, managed, and secured.
Security by design in network infrastructure
To build security by design, start by choosing infrastructure platforms that follow well-known industry standards. When reviewing a network provider, IT teams should look for signs of a “born-in-the-cloud” or “security-first” approach. This shows the platform was built to work in high-risk, tightly regulated settings.
Key indicators of a security-by-design approach include:
• Identity and access governance — Providers should have strong identity and access management (IAM) features, such as multi-factor authentication (MFA); detailed, role-based access control (RBAC); and Policy Based Access Control (PBAC). This helps make sure only authorised people can change important network settings.
• Encrypted connectivity — Security by design means data must be protected both while moving and when stored. Network providers should make it easy to use encryption across multi-cloud and hybrid setups without making operations more complicated.
• Independent validation — Security claims need to be supported by third-party audits. Certifications like SOC 2 Type II, which cover security, availability, and confidentiality, are important standards. These reports give the proof needed for the due diligence required by DORA.
Building for operational resilience
Operational resilience means a company can handle, respond to, and recover from technology problems. For DORA, this means the network should not have a single point of failure. A resilient setup is usually spread out so if one part fails, traffic is rerouted to keep services running.
IT teams should choose providers that focus on high availability as a key part of their services. This means having constant monitoring and alerts to catch problems early. The provider should also have a clear and tested incident response plan. DORA requires financial institutions to report major ICT incidents to regulators quickly, so the network provider must be able to supply the needed data and logs for fast investigation and reporting.
Managing third-party risk and oversight
A major challenge with DORA is the extra oversight of third-party providers. Financial organisations now have to include clear contract terms about oversight and audit rights. This need for transparency can be hard for some traditional technology providers to handle.
When choosing an infrastructure partner, organisations should pick providers with clear processes for handling compliance questions. This means they can share security policies, operational procedures, and proof of regular penetration testing under non-disclosure agreements. The provider should act as a partner, helping the customer meet regulatory requirements, not just supplying a technical service.
The role of Infrastructure-as-a-Service (IaaS)
As financial institutions update their networks, many are choosing Infrastructure-as-a-Service (IaaS) models to handle the complexity of multi-cloud environments. These platforms connect on-premises data centres with different cloud service providers, acting as the system’s central hub.
To meet DORA requirements, an IaaS platform must show it does not create new risks. It should be built on a well-known cloud infrastructure that already meets strong security standards. Using a resilient IaaS model helps IT teams see their whole network clearly, making risk management and compliance easier.
Practical steps for IT teams
To get ready for DORA, IT and risk management teams should take these practical steps with their network providers:
1. Conduct comprehensive due diligence — Check current and potential providers to make sure they meet DORA’s rules for security controls, incident response, and resilience testing.
2. Audit contractual arrangements — Make sure contracts clearly state audit rights, service levels, and the provider’s duty to help during a regulatory inquiry.
3. Evaluate multi-cloud strategy — Check if your current network setup allows you to quickly move workloads between cloud providers if one goes down.
4. Establish clear reporting lines — Decide how the network provider will communicate during an incident and what information they will give to support your reporting needs.
Looking forward
DORA is an ongoing operational process, not a one-off project. As regulations change, the need for operational resilience will only grow. Financial institutions that focus on security by design and pick infrastructure partners who value transparency and reliability will be better prepared for these changes.
In the end, resilience is something everyone shares. The financial organisation is still responsible to the regulator, but its compliance success depends on its technology providers. By choosing providers who see compliance as a key part of their design, organisations can build a digital foundation that meets DORA and supports the future of digital finance.
