Learn more about the latest ThousandEyes innovations at Cisco Live! | June 2-6, 2024

Industry

The Role of Digital Experience Assurance in Digital Operation Resilience (DORA)

By Ian Waters
| | 17 min read

Summary

The Digital Operational Resilience Act (DORA) broadens the scope of financial resilience measures to include digital services. In this blog post, we explore DORA, its implications, and how ThousandEyes can contribute within this framework.


During our average day, we rely on hundreds, if not thousands, of digital services. In work, and in our personal lives, digital experiences are now part of the fabric of modern life. However, the innovation we expect from modern applications is only made possible by a complex ecosystem of connections, platforms, APIs, and integrations, all functioning together. 

The financial services sector is more aware of this than most, with many of us now primarily interfacing with our banks, insurance firms, and trading platforms digitally. While branches have closed in many countries, it would be hard to argue that the digital services that have replaced them have not made our lives easier. Not many of us would like to go back to a world where we needed to visit a branch to transfer money between accounts.

With these digital services now effectively the new bank branch for customers, it’s more important than ever to assure the quality of their delivery; today, it is here that financial institutions' reputations can be made and lost, with customers and regulators.

At ThousandEyes, we have been fortunate to have long-standing relationships with many of the world’s leading financial services firms. These firms have used the platform to assure the digital experiences they deliver across several use cases. But now, legislation is coming into force in the European Union setting out what is expected of the sector in terms of digital operations and resilience. 

Looking Forward to January 17th, 2025

Back in September, 2020, the European Commission published its draft Digital Operational Resilience Act (DORA) as part of the Digital Finance Package (DFP). Around this time, Cisco had just completed the acquisition of ThousandEyes to bolster its offerings in Digital Experience Monitoring. Applying to more than 22,000 financial services organizations, either within the European Union or conducting business in the European Union, DORA sought to define a consistent approach to security and resiliency practices. 

As opposed to focusing purely on financial resilience, DORA set out to extend that framework across digital services, setting a new standard of requirements expected in the case of severe operational disruptions, namely, security or IT issues impacting the delivery of those services. In other words, an expectation that financial services organizations would take ownership of that experience from end to end, with visibility and insight into service-impacting issues, wherever they occur.  

The European Union set a two-year implementation timeline for the recommendations laid out in the act, starting on January 16th, 2023, with an expectation that those requirements become enforceable from January 17th, 2025. This means that all financial services organizations, either located in the European Union, or conducting business within the union, are expected to be compliant with DORA by that date. Similar baseline operational resiliency regulations covering financial services organizations have also been introduced by the Australian regulator (APRA) and the US Federal Reserve. 

Third-party ICT Service Providers

DORA expands the scope of regulations to other, newer, stakeholders in the sector, such as crowd-funding providers and crypto-asset service providers, and sets out expectations on organizations in terms of management, testing, and reporting of ICT (Information & Communications Technology) issues; however, what’s interesting about DORA is a focus on ICT third-party service providers. 

Cloud service providers and other ICT third-party service providers are included in the act, along with an expectation that IT & Security teams, within those financial institutions where DORA applies, satisfy themselves of a third party’s resilience, which will require close interaction and joint efforts with their critical ICT third-party service providers, especially where they support the delivery of an Important Business Service (IBS). DORA mandates organizations conduct a mapping exercise to identify their IBSs, and their dependencies, both internal and external.  This expanding set of providers must now be part of the planning, testing, management, and reporting process, meaning some new approaches to digital assurance and visibility are required. 

At ThousandEyes, we’ve championed the idea of organizations taking control of end-to-end digital experience by providing insight and visibility across their distributed digital services. Just because you don’t own all the component parts does not mean you are not responsible for the experience delivered across them to your user. In fact, not owning all the component parts has become a necessity, so how should you adapt your systems and processes for this new reality?

An Act of Five Parts

To understand the impact of DORA, and the role ThousandEyes can play, we need to explore the act in a bit more detail; the Digital Operational Resilience Act is broken into five main topics:

  1. ICT Risk Management: Essentially that organizations maintain a resilient ICT framework, with monitoring, identification, and documentation in place to establish rapid isolation of anomalies, alongside comprehensive business continuity and disaster recovery plans.

  2. ICT-related Incident Management, Classification & Reporting: Processes to identify and log ICT issues; determine major issues; and produce initial, intermediate, and final reports on those issues through standard templates.

  3. Digital Operational Resilience Testing: Perform annual testing of their ICT tools and systems, leading to identification, mitigation, and prompt elimination of any weaknesses, deficiencies, or gaps. 

  4. ICT Third-party Risk Management: Register all outsourced activities, with particular focus on critical ICT third-party service providers via a Union Oversight Framework; ensure contracts with these suppliers reflect these new requirements; and, put in place a “complete” monitoring approach, covering these suppliers.

  5. Information Sharing Arrangements: Allowing financial organizations to exchange information between themselves, particularly with regard to cybersecurity, e.g. threat information and intelligence.

As you will see, much of the above relates to monitoring, testing, identifying, documenting, and reporting ICT issues, with a view to mitigation, continuity, recovery, and improvement. However, in such a distributed environment, where, by design, modern applications rely on networks and services outside of your domain of control, how do you start to get your arms around it all? This is where ThousandEyes Digital Experience Assurance can play a role in your strategy to prepare for and operationalize processes for DORA. The ThousandEyes platform specializes in providing you visibility into those service delivery components you rely on, but don’t control. We do this by continuously baselining and mapping out your network as well as those of some of your important third-party ICT providers. Our approach is data-driven, intuitive, and allows you to share the information easily.

ThousandEyes and DORA

Here are some areas where ThousandEyes could deliver value within the five areas where DORA is focused, as part of your wider strategy:

ICT Risk Management

ThousandEyes is a SaaS-based platform that monitors distributed service delivery architectures, providing insights into the entire digital supply chain. Agents constantly test to the applications you care about from your users’ perspective, allowing financial entities to identify and mitigate ICT risks proactively. Our agents span internal networks, Internet dependencies, and cloud services, offering a comprehensive view of potential service-impacting issues.

When anomalies occur, the platform will alert your teams, either directly or through open integration standards to other workflow systems, give indications of root cause, wherever the potential issue occurred, and provide the data you need to document service-impacting issues. This testing could also apply to other areas of risk, such as traffic in-flight (i.e. where a BGP route hijack has occurred in the Internet), leading traffic to be routed to unexpected, or suboptimal, destinations and for considerations like data sovereignty, where you have a regulatory responsibility to understand which where your data is at all times. 

ICT-related Incident Management, Classifications & Reporting

With its extensive monitoring and alerting capabilities, ThousandEyes can help detect ICT-related incidents early, enabling efficient reporting to regulatory authorities. Its detailed analyses and visualizations facilitate understanding of the scope and impact of incidents, aiding the accuracy and timeliness of reporting.

The platform provides data on key service affecting metrics, giving you insight into the degree of application availability, alongside metrics measuring response time, throughput, jitter, latency, packet loss, among others, allowing you to build dashboards based on your thresholds, to support reporting against key KPIs. Alternatively, as ThousandEyes supports OpenTelemetry, all of your test data can be exported to other visualization platforms, such as Splunk, where you can combine it with other datasets, to build a contextual view of application health and performance.  

In addition, as a cloud-based platform, ThousandEyes ingests billions of data points a day, from around the world, building a picture of the health of the global Internet globally, and major cloud providers, SaaS providers, and other core building blocks of delivering digital services. This dataset is made available to customers through Internet Insights, helping you answer the question “Is it just us?” and enabling you to understand the blast-radius of service-impacting issues.

Digital Operational Resilience Testing

ThousandEyes has been designed, from day one, as a modern, global web-scale platform, with a single code base that allows for regular updates and new feature releases, meaning new features are made available to all customers immediately, and there is no such thing as legacy versions, or the overheads of version control. The platform enables entities to simulate and test their networks and applications' resilience against various ICT disruptions. This can be part of regular resilience testing, identifying potential performance vulnerabilities and performance bottlenecks that need addressing.

The platform is already leveraged and trusted by many of the world’s largest financial institutions, and support is provided in platform, in the form of 3rd line engineers, available 24/7 via chat to help identify, troubleshoot, and advise on service-impacting issues. In addition, ThousandEyes operates a separate EU region and has been awarded Level 3 certification for the EU Cloud Code of Conduct alongside our ISO 27018 and 27701 certifications.

ICT Third-party Risk Management

One of the core value propositions of ThousandEyes is the ability to manage service delivery performance across networks you don’t own. As such, visibility into third-party ICT providers, such as Internet Service Providers, Cloud Providers, CDNs, DNS, DDoS Mitigation Services, SaaS Providers, API gateways, Payment Providers, and so on, is automatically gathered when those providers appear in-path between our agents and the applications you care about.

This visibility of the performance and availability of third-party ICT services, allows customers to manage and mitigate risks associated with these external dependencies, aligning with DORA's emphasis on overseeing third-party risks and ensuring they do not compromise operational resilience. Operations teams are provided with the data needed to isolate root-cause in key networks relied on for service delivery and build a performance picture of key providers over time, to use in review meetings, supplier assessments, and SLA management.

In addition, financial services organizations are able to test key providers, such as Internet Service Providers in key regions, new cloud providers, cloud regions, and regional pairs, before deployment of new services or migrations of workloads to the cloud. This allows you to take a data-driven approach to monitoring and reporting on major migrations and changes before, during, and after implementation.

Finally, as an open platform, designed to be extensible via our REST-based API, webhooks, or via OpenTelemetry, customers have the ability to combine test data with other data sources including Application Performance Management platforms, such as Splunk or AppDynamics, as part of a broader Observability strategy.

Information Sharing Arrangements

ThousandEyes enables different organizations to collaborate on shared service-impacting problems. As such, any incidents captured by ThousandEyes are shareable. This is done in the form of sharelinks, which are an interactive view of a period in time, up to 48 hours, of an event you care about. These sharelinks are permanently stored and allow for retrospective analysis and viewing of issues occurring at an application, network, and Internet routing layer. From within the platform your same view of these incidents can be shared internally, or externally, so that everyone is working from the same data-driven view. 

Conclusion

In many ways, just as DORA is a catalyst for financial services organizations to adapt to the new reality of digital service delivery across a distributed architecture to distributed users, ThousandEyes has been designed as the Digital Experience Assurance platform for that same new reality. Customers leverage our platform today to give themselves an end-to-end perspective of their users’ digital experience for the applications that are now the lifeblood of their businesses. ThousandEyes can support financial entities in navigating the complexities of DORA compliance by offering advanced monitoring, testing, and risk management capabilities. These tools not only aid in meeting regulatory requirements but also in enhancing the overall operational resilience of financial organizations against the evolving landscape of ICT threats and challenges.


To find out more about how ThousandEyes can help you prepare for DORA, or for the new requirements of assuring digital business in general, please reach out to your Cisco Partner or Cisco Account Team and ask for a meeting with your ThousandEyes Specialist. 

Subscribe to the ThousandEyes Blog

Stay connected with blog updates and outage reports delivered while they're still fresh.

Upgrade your browser to view our website properly.

Please download the latest version of Chrome, Firefox or Microsoft Edge.

More detail