The EU’s Digital Operational Resilience Act (DORA) explained
The Digital Operational Resilience Act (DORA) (not to be confused with Google’s DevOps Research and Assessment Metrics, also called DORA) aims to establish a universal framework for managing and mitigating IT risk in the financial sector. The Directive aims to develop a European approach that fosters technological development and ensures financial stability and consumer protection. In short, providing a safety net for mission-critical services affected by the fallout of major digital service failures.
Financial services organizations are expected to be fully compliant by 2025; not an easy feat given that most are relentlessly focused on making progress against risky, costly and massively resource-intensive initiatives like application modernization and cloud migration. The slew of recent media articles surrounding tech outages, poorly executed migrations and data security breaches shows just how difficult it is to maintain operational continuity during times of technological transition.
In this article, we will dive into the key aspects of DORA, its objectives, and the implications it holds for software development teams within financial services companies. Then we’ll take a closer look at how AI platforms, like Diffblue Cover, can help engineering organizations more easily adhere to DORA - and prevent costly IT migration and modernization disasters.
How DORA affects software development teams
Here are 9 ways technical leaders and their teams will be affected:
1. Stricter Security Standards
DORA places a strong emphasis on cybersecurity. Software engineers will need to adopt robust security practices and incorporate security into the software development lifecycle. This includes implementing encryption, authentication, and access control measures to protect sensitive data.
2. Thorough Testing and Scenario Analysis
Code quality will become more important than ever before, in order to ensure high degrees of operational resilience. In many cases this will require increased testing frequency, higher code quality gates and being able to remediate regressions and defects quicker.
3. Incident Response Planning
Operational teams responsible for DevSecOps will play a vital role in developing incident response plans. They will need to create protocols for quickly addressing and mitigating incidents, such as cyberattacks, software failures, and other operational disruptions.
4. Use of Third-Party Software and Service Providers
Financial institutions must evaluate and manage risks associated with third-party software and service providers. Software engineering teams will be involved in assessing the security and operational resilience of these external solutions and ensuring that they meet DORA’s requirements.
5. Documentation and Reporting
DORA mandates clear documentation and reporting of incidents, including their root causes and impacts. Software engineering teams will need to maintain detailed records and provide input for reporting when incidents occur.
6. Oversight and Accountability
Technical leaders may face greater scrutiny from internal and external auditors and regulatory authorities. They will be held accountable for the integrity and resilience of the software systems they develop.
7. Resource Allocation
Financial institutions will likely allocate more resources to software engineering teams to support the development and maintenance of resilient and secure systems. This may include investments in cybersecurity tools and personnel.
8. Adoption of Best Practices
To meet DORA’s requirements, software engineering teams will need to adopt industry best practices in software development, DevSecOps, and risk management. This will lead to a more rigorous and disciplined approach to software engineering.
9. Cultural Shift towards Resilience
DORA will necessitate a cultural shift within financial institutions, emphasizing operational resilience. Software engineering teams will need to align with this shift and promote resilience-focused thinking throughout their organizations.
How Diffblue can help you adhere to DORA
For software teams to meet the objectives of DORA, there is one element that is critical to success: unit testing for code and ensuring adequate code coverage before starting any modernization efforts. In this, Diffblue Cover is an essential platform which uses AI to automate unit testing. This helps teams achieve more efficient, faster software development, and reduces the main risks that DORA focuses on.
Here’s a closer look at how.
The Diffblue solution set is perfectly aligned with the IT risk management requirements of both the EU’s Digital Operational Resilience Act (DORA) and the UK’s Operational Resilience Framework (PS21/3), which came online in 2022.
Failures in application testing and poor test coverage causes bottlenecks in the development pipeline and increase overall development cycle time. Given that unit tests are the first line of defense against bugs and regressions, it’s critical to unit test deeply, continuously and successfully as part of a CI pipeline, alongside integration testing.
Diffblue Cover uses a method of AI machine learning called reinforcement learning to solve the problem of poor unit test coverage and test failures by autonomously creating and updating unit test suites for Java application development. It enables developers and development teams to catch regressions and unplanned behavior changes more comprehensively than any manual process.
Cover automatically creates comprehensive, human-like Java unit tests - saving developer time, increasing test coverage, and reducing regression risks. It takes care of the following, entirely:
- Automatically analyzes a codebase and creates a baseline unit test suite
- Automatically writes new unit tests for new code
- Automatically updates existing unit tests in your code
- Automatically removes existing unit tests in your code when they’re no longer required
Diffblue Cover is not an AI assistant, it is fully autonomous and completely takes care of writing, updating and continuously improving test coverage. As a result of the deep understanding of how your code works, following the initial analysis, Diffblue Cover knows what tests need to be added and updated for every single code change. It implements the necessary unit testing updates automatically, ensuring that coverage does not drop as development teams move faster. The AI-written unit tests are ready to use - they compile, run, and accurately validate the current behavior of your code.
Diffblue’s financial services customers, including Citi, JP Morgan Chase and Goldman Sachs, use the platform to adopt DevOps, ship more frequently using CI and modern software practices, reduce risk and cost to modernize applications, break them down into microservices, and refactor them to run on public clouds.
By using Diffblue Cover to modernize mission-critical Java applications, organizations can do the following:
1. Improve code coverage, fast
Diffblue is the only fully-automated AI solution that can autonomously write new code, improve existing code, accelerate CI pipelines and provide deep insights into the risk of change. This means huge increases in code coverage, no matter how large your legacy codebase is.
2. Make complex migrations safer.
Modernization almost always involves adaptation of something that’s already functional. Unless you’re completely rebuilding an application, it’s vital to protect the core business logic, interfaces, and other aspects that already exist. With this, you can maintain operational continuity of systems that are already serving customers.
Additionally, maintaining code quality during major updates is often seen as the biggest modernization challenge. Diffblue Cover ensures optimal code quality throughout the entire process.
3. Adopt CI/CD more easily
By fully automating unit testing, deeply and continuously as part of a CI pipeline, software teams can realize the potential of CI much more quickly and more easily. Cover integrates with popular CI tools to enable developers to quickly get a unit test baseline which automatically keeps pace with changes.
4. Adopt better DevSecOps practices
DevSecOps, an evolution of DevOps, includes application security practices in every stage of software development. Diffblue Cover enables a natural shift to DevSecOps by providing invaluable risk mitigation for organizations working to modernize complex applications. This allows security teams to build stronger checks into the DevOps pipeline without slowing down engineering teams’ cycle times. Diffblue Cover’s unit tests enable rapid understanding of complex applications, allowing customers to innovate with confidence.
Use Autonomous AI-driven unit testing to achieve and maintain DORA compliance
The impact of DORA on software engineering teams will be substantial. It not only places greater responsibilities on these teams to ensure operational resilience and cybersecurity of applications but also demands a shift in mindset and practices.
Compliance with DORA will require software engineering teams to adopt a proactive, security-focused, and resilience-oriented approach in their software development processes, and a key part of this will be ensuring fully effective unit testing and coverage.
The bottom line: Diffblue Cover’s reinforcement learning solution for automated unit test writing allows teams to modernize faster and with lower risk so that they can meet DORA requirements. And it provides objective proof – the test code itself – for auditors and regulators, and does it 250x faster than if it was done by human effort. It frees up developer resources from writing manual unit tests, allowing them to concentrate on new, creative solutions to anything the market demands.
Speak to our team today to see how Diffblue Cover can help you stay ahead of regulations, so your organization’s modernization doesn’t become a cautionary tale, rather an example of operational resilience done right.