Ann Schlemmer, CEO at Percona.
In technology, we are used to thinking in binary terms; computing is built on the combination of ones and zeros that denote a value being “on” or “off.” All these elements combine to build the overall application or service. From tiny components, we build huge applications that we expect to be available around the clock. Yet these complex systems can fail for any number of reasons, and, sometimes, these components may be operated by third-party providers in the cloud, too.
With so much of daily life relying on digital technologies, we can’t afford for a single issue to take down a whole application. We expect more resilience in our applications, particularly in the financial sector. What might be a minor issue around IT in one organization could potentially disrupt markets or affect entire regions.
To counter this, the European Union passed the Digital Operational Resilience Act, or DORA, which requires banks and financial institutions to ensure their systems are resilient in the event of a severe operational disruption. DORA came into force on January 17, 2025, two years after the regulation was initially passed.
As someone with experience in retail and commercial banking who is now CEO of a company specializing in open-source databases, this is something I’ve been paying close attention to. Traditionally, I found IT security planning for banks often involved looking at how to prevent issues and protect systems against attack or theft. Cyberattacks are the most common issue that bank chief risk officers have to manage, at 58%, according to a survey by the Risk Management Association and Oliver Wyman.
But with so many attacks taking place, it is not a case of if one will succeed, but rather when it will happen. At this point, institutions have to work on how to withstand attacks and continue to function properly. This is where resilience comes to the fore.
DORA And Reducing Risk
DORA applies to a range of financial institutions and the IT companies that support those businesses, such as cloud service providers that serve banks or finance companies. This is important because an attack or outage at a cloud provider could seriously affect any banks or financial companies that run on that cloud infrastructure.
To protect systems against failure, banks need to protect their critical applications against potential risks. They also need to minimize the potential impact of any failures that may occur.
From a technical perspective, banks have implemented business continuity plans for years. These implementations doubled up the amount of hardware and software used to run systems through clustering and high availability services. To complement this, large banks normally have disaster-recovery sites to use in the event of a problem and multisite operations for redundancy.
For both banks and technology providers, planning around resilience involves looking at the wider picture. Alongside the technology that is used, there is also the challenge of getting support or expertise for that deployment. In this context, open-source software might play a role in resilience for some institutions.
Benefits And Risks Of Open-Source Software
Under DORA, banks have to look at the resiliency of their systems. While this includes security and preventing attacks, banks also need to avoid single points of failure, or SPOFs. This means not relying on a single cloud service provider or technology company. To help with this, a part of banks’ strategy might be using open-source software. Open-source software can be supported by multiple companies, each bringing their own expertise and breadth of knowledge. This could help reduce potential risk by allowing organizations to work with their choice of suppliers instead of being dependent on a sole provider.
However, there are still risks financial institutions would need to consider. I’ve seen through my company’s work providing services for open-source databases that this software may change licenses from an open license to one that is “source available,” which requires payment to that specific company to continue using the software.
A change in software license can represent a problem. It can lead to additional costs and affect your future technology strategy. When the company makes decisions around its software, it can take paths that do not suit your business. For example, it could deprecate features that you rely on and that would break the applications or services you deliver to your customers. While this is not a security issue per se, it does represent a threat to the resilience of your application.
So, I’ve observed some banks have started looking at how they can work in a community-focused way to better control their technology approach. If you’re thinking of using open-source projects, consider exploring ones that are operated by a community or foundation, rather than controlled by a specific vendor, to help prevent this risk.
Resilience And The Cloud
Alongside software, there is also the cloud to consider. The Fintech Open Source Foundation (FINOS) developed the Common Cloud Controls (CCC) project to create a consistent set of controls for public cloud deployments. By building a common approach for controls that can be applied across different public cloud environments, banks can more effectively manage migrations and operate across multiple providers.
With this in mind, I think the first step for banks to strengthen their cloud resiliency is to engage with broader industry efforts like FINOS’ CCC. Alongside using the CCC standards to improve cloud implementation, this can help ensure your voice is heard and you are engaged in efforts to improve cloud management and continuity.
Actively contributing to these initiatives fosters a sense of communal ownership and is more likely to lead to long-term improvements. When you’re invested in the process, you are more likely to take meaningful action.
Final Thoughts
As every bank or financial institution has its own deployment approach in place, there is no one-size-fits-all approach that can meet DORA’s requirements for more resilient systems and reliable banking services. Each organization will have to design their own environment and support their applications effectively.
As I see it, the promise of the internet was that it would provide a reliable network that would survive the failure of any single node. For banks, open-source software and collaborations may help improve their resilience over time—as long as it’s approached thoughtfully.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here
