Source Code Access: The Cornerstone of Dora Compliance

Only 4% of European Union institutions are currently prepared for the Digital Operational Resilience act (Dora),a statistic that underscores the urgent need for comprehensive technological overhauls. The new regulation, which took effect in January, demands a basic shift in how firms govern, manage, and protect their technology infrastructure, and access to source code is rapidly becoming a non-negotiable element of compliance.

According to Adaptive’s Kevin Covington, the ability to readily access and analyze source code is increasingly essential for meeting Dora’s stringent requirements. This isn’t merely a technical detail; it’s a foundational principle for ensuring digital resilience.

The Digital operational resilience Act signals a paradigm shift, compelling organizations to move beyond traditional cybersecurity measures. Dora focuses on the entire technology lifecycle, from growth and procurement to ongoing maintenance and incident response. A key component of this framework is the ability to thoroughly understand and validate the systems that underpin critical financial services.

“Firms need to overhaul how they govern, manage and safeguard their technology,” one analyst noted. This overhaul necessitates a deep dive into the inner workings of software,which is only possible with unfettered access to the underlying source code. Without it, identifying vulnerabilities, conducting impact analyses, and implementing effective remediation strategies becomes significantly more challenging.

The implications of non-compliance are significant, ranging from hefty fines to reputational damage and, ultimately, systemic risk to the financial system. As such, institutions are scrambling to assess their current capabilities and implement the necessary changes. However, the path to Dora compliance is not without its obstacles. Many firms rely on third-party vendors for critical software, and negotiating source code access can be a complex and protracted process.

Moreover, simply having access to source code isn’t enough. Organizations must also possess the expertise to analyze it effectively. This requires a skilled team of developers and security professionals capable of identifying potential vulnerabilities and understanding the implications of code changes.

The challenge extends beyond in-house development.Dora mandates that firms have a clear understanding of the technology used by their third-party providers. This means demanding source code access as part of vendor contracts and establishing robust processes for ongoing monitoring and validation.

The low percentage of firms currently prepared for Dora – just 4%, according to PwC Luxembourg – highlights the scale of the challenge. It’s a wake-up call for the industry,signaling that important investment and effort are required to meet the new regulatory standards. Access to source code is not just a best practice; it’s quickly becoming a fundamental requirement for operating in the EU’s evolving digital landscape.

Why is Dora crucial? The Digital Operational Resilience Act (Dora) was enacted to strengthen the EU financial system against cyberattacks and other operational disruptions. It aims to ensure financial institutions can withstand,respond to,and recover from these events.

Who does Dora affect? Dora impacts all financial entities operating within the European Union, including banks, investment firms, and crypto-asset service providers. It also extends to third-party technology vendors serving these institutions.

What does Dora require? The regulation mandates a comprehensive approach to operational resilience, encompassing governance, risk management, incident response, and, crucially, access to source code for critical software.

How did it end? Dora took effect in January 2024, with full compliance expected by December 31, 2024, for most institutions. While the initial implementation phase is underway, ongoing monitoring and adaptation will be essential as the regulatory landscape evolves. The regulation doesn’t “end” but is a continuous process of enhancement and adaptation.