The Digital Operational Resilience Act (DORA) is a major piece of legislation that goes into effect in the EU in January 2025. DORA impacts financial institutions in all EU member states and their ICT third-party service providers. It also applies to U.S. businesses that offer financial services within the EU or provide third-party services to EU financial institutions. DORA raises the already high level of data security, operational resilience, and service quality that financial institutions must maintain.
The gnashing teeth of this legislation are a combination of documentary evidence of compliance and significant penalties for non-compliance. Due to stronger requirements and stricter enforcement, DORA has been referred to as the GDPR of the financial sector. The ultimate responsibility for non-compliance with DORA is placed firmly on the financial institutions and their executives. Therefore, these financial institutions are focusing their attention on ICT providers that play a critical role in their operational resilience.
Understanding the Shared Responsibility Model
While SaaS providers like ServiceNow invest significant resources to maintain the security of their platforms, they are largely hands-off regarding their customers’ data. However, many organizations do not realize their responsibilities under the shared responsibility model, creating a dangerous blind spot when it comes to ServiceNow data resiliency. The most common causes of data loss and corruption in ServiceNow are accidental deletions and integration errors, and malicious activities are also potential risks. In whatever way a financial institution experiences a data loss or corruption in ServiceNow, the disruption can be lengthy and costly unless they have independent 3rd party backups that enable quick and precise restoration.
The Role of ServiceNow in Operational Resilience
Many financial institutions overlook the indirect dependency between their operational resilience and ServiceNow data. These companies rely on data in ServiceNow to troubleshoot and resolve IT problems and to understand system dependencies, enabling them to manage problems efficiently. When an IT problem causes a disruption in services and IT support staff cannot access critical data in ServiceNow, it can take longer to resolve the issue, negatively impacting consumer confidence and competitiveness directly impacting the business’s bottom line. In the context of DORA, ServiceNow could be considered a critical ICT provider with associated added importance and value.
Financial institutions that rely on ServiceNow for customer-facing services and support can use Own products to ensure that critical information is available even during an IT incident. In some European countries, banks must display their service quality relative to competing banks, and customers consider this factor when choosing a bank. Financial institutions can maintain their competitiveness and consumer confidence by minimizing disruption and downtime, impacting the quality of customer service.
Own Company (formerly OwnBackup) can help you quickly bring your ServiceNow data into compliance with DORA by maintaining secure, resilience-ready backups that support rapid and reliable recovery.
Independent 3rd Party Backups
DORA has a section dedicated to backup policies and recovery methods that aim to ensure the restoration of operations with minimum downtime, disruption, and data loss. Storing backups securely and segregated from the system where the original data resides is essential. Own Recover performs proactive preservation of mission-critical data stored in ServiceNow, storing it independently and securely, making it safe and accessible whenever needed. Recover provides an intuitive interface to navigate backups, export data, and automate operations.
Have You Tested Your RTO?
DORA also has a specific requirement for Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO):
“In determining the recovery time and recovery point objectives for each function, financial entities shall take into account whether it is a critical or important function and the potential overall impact on market efficiency. Such time objectives shall ensure that, in extreme scenarios, the agreed service levels are met.”
A critical dependency for meeting RTO and RPO are systems like ServiceNow that financial institutions rely on to maintain infrastructure and troubleshoot issues. ServiceNow backups are not suitable for DORA compliance, and Own Recover can help you fulfill this requirement. Financial institutions that rely on ServiceNow for maintaining infrastructure can use Recover to reliably back up and restore data that supports IT services (ITSM) and operations (ITOM), ensuring their availability and integrity when troubleshooting problems.
Reference: How to Recover Lost or Corrupted ServiceNow Data with Ease
Precise Repair
It is important to understand that simply having a backup does not make your business resilient against data loss or corruption. The ability to restore data rapidly in good condition is more complex than you might realize. A key to timely recovery is being able to restore precisely what was damaged rather than having to restore everything in its entirety unnecessarily, which wastes valuable time and resources. Recovering data in a precise and timely manner enables you to bounce back to normal business operations, avoiding significant disruption and cost.
With Own Recover, you can precisely target and restore only the lost or corrupted data, leaving the bulk of your “still good” data untouched. Such surgical operations on backups can save time and impact when dealing with data loss/corruption and uncover valuable details about the scope and cause of an incident.
ServiceNow Data Monitoring & Alerting
The sooner you detect that data has been lost or corrupted in ServiceNow, the better for mitigating associated disruption to your business. Therefore, it is important to proactively monitor your mission-critical data for unexpected changes, and to use automated anomaly alerting mechanisms.DORA recognizes this and requires financial institutions to have automatic alerting mechanisms and sufficient resources and capabilities to monitor occurrences of ICT anomalies.
Own Recover analyzes data changes between backups which provides visibility of ServiceNow data and metadata modifications over time, including deletion and corruption. In addition, to help you detect potential problems more quickly, Recover generates Smart Alerts to notify you of changes impacting the availability and integrity of their ServiceNow data. Recover also maintains an audit trail of its activities and usage for security and compliance purposes.
Documentary Evidence of Resilience Testing
Notably, to comply with DORA, financial institutions must do more than create contingency plans. You have to demonstrate that processes work in practice and improve over time.
Specifically, DORA requires that financial institutions periodically test that they can recover from backup in a timely manner. Financial institutions can follow Own's industry-leading Data Recovery Readiness and Response (DR3™) program to ensure your people, processes, and platforms are prepared to resolve data loss/corruption impacting critical data in ServiceNow. The DR3™ assessment report documents current ServiceNow data protection and resiliency, which you can use for reporting to regulatory authorities.
Final Thoughts
DORA is an important step to prevent disruption and maintain the quality of financial services. The increased emphasis on business continuity and timely recovery supports the availability and reliability of mission-critical data for financial institutions. So, raising the bar for financial services companies makes sense but comes with a cost. Covered entities that rely on ServiceNow for critical functions, including workflows and information for troubleshooting their infrastructure and applications that deliver services to customers and other institutions, need solutions that reduce the time and cost of compliance, which is where Own can help.
For more on this topic, check out our on-demand webinar, "Dora Compliance And ServiceNow: How To Protect Your Data".
