We are looking for researchers & co-creators!

Apply now

DORA: Strengthening Digital Operational Resilience

Demystify the complexities of the European Union’s new IT regulatory framework, DORA (Digital Operational Resilience Act), and discover the path to achieving operational resilience. Einar & Partners Research Unit's leading industry insights and pioneering research can help you get up to speed and kick-start your DORA journey, as the set deadline for it is tight and approaching fast (17th of January 2025).

DORA & CMDB – Finance Specialization

Where most financial institution find themselves

CI Driven CMDB with few services formalized

  • Heavily infrastructure oriented
  • Too much data with too little context

Application Inventory – but really?

  • Business processes & services lacking
  • Lacking connection to infrastructure
  • Business Criticality sometimes lacking

Governance but largely manual or poorly enforced

  • Heavy reliance on manual processes
  • Not out of culture but regulations

Breakdown of DORA Articles & Impact on CMDB

Critical articles relating to CMDB focuses on business functions, infrastructure dependencies, governance and 3ʳᵈ party provider visibility

Article #8.1

Identification, classification, and documentation of ICT-supported business functions and ICT tasks and responsibilities

Meaning:

  • It is essential to map the hardware/ software/ systems/ applications that support these functions.
  • Note: Inventory to take place at least annually

Article #8.3

Performing a risk assessment during significant changes.

Meaning:

  • Major changes, such as in the network/applications, requires impact analysis of the change on the security of relevant business functions.
  • Document results for mgmt. and auditors

Article #8.4

Identifying all information and ICT assets, including interconnections and dependencies

Meaning:

  • Straight up configuration management. Pinpointed on ICT equipment (such as firewalls etc). Unlike article 1 which also covers business functions/processes/apps this one focuses on the infrastructure layer.

Article #8.5

Inventory of processes dependent on third-party ICT service providers

Meaning:

  • This requires a deeper understanding by indicating interconnections with providers that support critical or important functions.

What requirements does DORA bring towards CMDB?

Break-down of most common pillars and how it impacts the CMDB

Articles 5 of DORA
ICT asset management policy (RTS on Risk Management Framework)
RTS on ICT Incidents (Critical Services Affected, Duration & Service Downtime etc)

Impact Analysis – For real

  • DORA requires visibility of the business processes & its interdependencies;
  • Ability to quantify of the impact of downtime, cyberattacks, incidents.
  • Ability to prove to regulators in structured fashion that impact analysis has been done and tools to support it.

Accountability & Ownership

  • Adequate risk assessments required by DORA cannot be done without a clear understanding of who owns what, how do we offer services and who is responsible
  • Mapping of business criticality on services
  • Validation, certification and business impact assessment, including the governance of 3ʳᵈ party reliance (systems/vendors)

Understand 3ʳᵈ party providers

  • Understanding what data 3ʳᵈ party providers data exchange and any inherit risks
  • Ability to see interdependencies and reliance on 3ʳᵈ party providers from an IT point of view
  • Outsourcing providers for managed infrastructure especially relevant to understand dependencies on

Inventorize the application estate

  • Understanding of the entire application estate for the business
  • Business criticality indicated for applications
  • Interdependencies between applications, across the entire estate (including test/development environments)
Exclusive Webinar Series

Have a Deep Dive into DORA

Join us for a series of insightful webinars and cutting edge content on making sense of DORA by the industry experts of Einar and Partners. Complexities of DORA can be overwhelming. In these sessions, our ITOM Thought Leaders are taking you on a journey to get a better sense in how to draft the optimal technical digital compliance strategies, where and how to kick-start your DORA journey, and best practices to become DORA compliant as well as Operationally Resilient. 

Our Thought Leaders are providing perspectives that are beyond DORA. Their insights do not only check boxes of auditors and DORA compliance, they make sure enterprises become operationally resilient.

Preparing-Service-Operations-and-Governance-for-DORA-Youtube
n2-Webinar-Linkedin
DXC-Webinar-Linkedin-Image

Our Practical Deep-Dive Guide

This is the ultimate resource to learn how CMDB & CSDM in ServiceNow can help make your business resilient operationally and compliant with regulations such as DORA.

Learn about what it takes to:

  • Establish a robust IT governance in the face of DORA regulation
  • Kick-start your DORA journey with the onboarding approach
  • Use CMDB & CSDM in ServiceNow to reach compliance and operational resiliency
Free Download
DORA Whitepaper Operational Resiliance EU Einar and Partners

Stay Ahead with Einar & Partners

Ready to fortify your organization's digital resilience and ensure compliance with DORA?

Get In Touch