DataOpsZone

Ensuring Readiness for the Digital Operational Resilience Act (DORA)

Introduction

As of January 2025, the Digital Operational Resilience Act (DORA) is now in force across the European Economic Area (EEA), requiring financial entities and their ICT service providers to strengthen their operational resilience against disruptions — including cyber threats, system failures, and third-party outages.

DORA marks a regulatory shift — from reactive cybersecurity to proactive operational resilience. Institutions must now prove their ability to maintain uninterrupted service delivery through risk-aware planning, rigorous data governance, and scenario-based testing.

This checklist distills DORA’s legal obligations into actionable executive-level controls, with a focus on the intersection of governance, data, and IT environments. It is designed to support CIOs, compliance officers, and operational leaders as they assess and elevate digital resilience across the enterprise.

1. ICT Risk Management Framework

Definition:
A structured, organization-wide approach to identifying, classifying, and mitigating ICT-related risks, ensuring traceability to critical business services.

To ensure compliance:
Establish a documented, regularly updated risk policy. Conduct assessments that cover system interdependencies, data exposure, and third-party integrations. Ensure insights inform your recovery planning and investment prioritization.

2. Data Governance & Control

Definition:
The lifecycle management of sensitive data across production and non-production environments — ensuring confidentiality, traceability, and minimal exposure.

To ensure compliance:
Automate data profiling / discovery and classification. Apply masking or pseudonymization in non-production tiers. Enforce RBAC with comprehensive logging. Retain records per regulatory standards and ensure full auditability.

3. ICT Incident Detection & Reporting

Definition:
End-to-end capabilities for detecting, analyzing, documenting, and reporting ICT incidents — internally and externally — within regulatory timeframes.

To ensure compliance:
Deploy observability or SIEM tools across environments. Maintain triage protocols and escalation paths. Pre-approve regulator reporting templates and rehearse reporting workflows through quarterly simulations.

4. Resilience Testing & Recovery

Definition:
The ability to simulate disruptions, validate recoverability, and test continuity strategies against defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

To ensure compliance:
Define a testing calendar aligned to business critical events. Validate recovery processes using safe, synthetic or masked data. Document outcomes and corrective actions in a central repository for audit readiness.

5. ICT Third-Party Risk

Definition:
Oversight and control over third-party service providers, ensuring they meet equivalent resilience and data protection standards.

To ensure compliance:
Maintain a vendor risk register with clear tiering. Update MSAs and DPAs to include resilience clauses, incident notification, and portability guarantees. Simulate exit or fallback strategies for critical suppliers.

6. Governance, Oversight & Documentation

Definition:
Defined roles, reporting lines, and organizational structures that demonstrate ownership of digital resilience and ICT risk.

To ensure compliance:
Assign executive accountability for ICT risk. Create a governance committee or working group. Use centralized tools to manage policies, track decisions, and deliver compliance training with full audit traceability.

7. Information Sharing

Definition:
Participation in regulatory and peer-to-peer threat intelligence networks to improve industry-wide resilience and situational awareness.

To ensure compliance:
Automate threat feed ingestion. Continuously update detection rules based on shared advisories. Use peer comparisons to benchmark your resilience posture and proactively address emerging threats.

Final Thoughts

DORA introduces a new regulatory paradigm — where digital resilience isn’t just encouraged, but mandated. While many firms have invested in cybersecurity, DORA demands more: proof of continuity, data governance, and survivability across your digital estate.

This checklist is both a baseline and a blueprint. It clarifies not just what must be done — but how to demonstrate it to your auditors, board, and regulators.

In an era where digital transformation is accelerating at an unprecedented pace, data has become one of the most valuable assets for businesses and governments alike. As organizations continue to migrate to cloud platforms and expand their global operations, one critical concept that has gained significant attention is data residency. But what exactly is data residency, and why is it so crucial in today’s regulatory and security landscape?

Understanding Data Residency

Data residency refers to the geographical location where an organization’s data is stored and processed. Unlike data sovereignty, which pertains to a country’s legal authority over data stored within its borders, or data localization, which mandates that data must remain within a country’s territory without cross-border transfers, data residency primarily focuses on ensuring that data is housed in a specific region, often for compliance and security reasons.

Many enterprises, especially those in highly regulated industries such as finance, healthcare, and government, must comply with strict data residency requirements. These regulations help maintain control over sensitive information, safeguard privacy, and prevent unauthorized foreign access to critical data.

Why Data Residency Matters

With increasing concerns around data security, regulatory compliance, and operational performance, organizations must carefully consider where their data is stored. Here are some key reasons why data residency has become a top priority for businesses globally:

1. Regulatory Compliance

Many countries have stringent data protection laws that require organizations to store specific types of data within their national borders. For example:

• Australia’s Privacy Act 1988 mandates that companies handling personal data must ensure its protection, including where and how the data is stored.
• The European Union’s General Data Protection Regulation (GDPR) enforces strict rules regarding the storage and transfer of EU citizens’ data.
• The United States’ CLOUD Act grants law enforcement access to data stored by U.S.-based service providers, regardless of where the data is located, raising concerns about foreign access to sensitive information.

Organizations that fail to adhere to these regulations risk heavy fines, reputational damage, and legal repercussions.

2. Data Security & Sovereignty

Data residency requirements help ensure that organizations retain greater control over their data, minimizing the risk of external breaches or foreign government interference. Countries often implement data residency rules to protect sensitive national information from cyber threats and unauthorized surveillance.

For example, Australia recently introduced stricter cybersecurity laws requiring critical infrastructure providers to meet enhanced data security obligations. Businesses operating in industries such as banking, healthcare, and telecommunications must now implement robust data storage solutions that align with national security interests.

3. Improved Performance & Reduced Latency

Storing data closer to the end-user can enhance system performance and reduce latency. When organizations leverage cloud services with regional data centers, they can provide users with faster and more reliable access to applications and services.

For instance, companies using GitHub Enterprise Cloud with data residency in Australia benefit from improved performance while ensuring compliance with local regulations. This is particularly important for businesses operating in highly regulated sectors that require both speed and security.

4. Enhanced Trust & Customer Confidence

Consumers today are more privacy-conscious than ever before. By demonstrating compliance with data residency requirements, businesses can build trust with their customers and reassure them that their personal data is being handled securely and in accordance with relevant regulations.

A survey conducted by PwC found that 85% of consumers will not do business with a company if they have concerns about its data security practices. This highlights the importance of transparency in how organizations manage and store customer data.

Challenges of Implementing Data Residency

While data residency offers numerous benefits, it also presents several challenges for organizations, including:

1. Increased Costs

Maintaining regional data centers or using cloud providers that offer localized storage can be expensive. Companies may need to invest in additional infrastructure, security measures, and compliance frameworks to meet data residency requirements.

2. Complexity in Cloud Services

Cloud computing has revolutionized how businesses operate, but ensuring data residency compliance within multi-cloud environments can be complex. Many global cloud providers, such as AWS, Microsoft Azure, and Google Cloud, offer regional data centers, but businesses must carefully configure their storage policies to comply with specific regulations.

3. Cross-Border Data Transfers

Many organizations operate across multiple jurisdictions, necessitating data transfers between countries. Balancing compliance with efficiency can be challenging, particularly when dealing with conflicting international regulations. For example, companies operating in both the EU and the U.S. must navigate the complexities of GDPR and the CLOUD Act simultaneously.

Best Practices for Ensuring Data Residency Compliance

To address the challenges associated with data residency, organizations should adopt the following best practices:

1. Choose Cloud Providers with Regional Data Residency Options

Leading cloud service providers now offer localized data storage solutions to help businesses comply with data residency regulations. When selecting a provider, organizations should ensure that they have the option to store data within their preferred region.

2. Implement Strong Data Governance Policies

A comprehensive data governance strategy is essential for managing compliance and security risks. Organizations should establish clear policies around:

• Data classification (e.g., personal, sensitive, confidential data)
• Access controls and encryption measures
• Data retention and deletion policies

3. Monitor Regulatory Changes

Data residency laws are constantly evolving. Businesses must stay up to date with regulatory changes and adjust their data storage strategies accordingly. Partnering with legal experts and compliance specialists can help ensure ongoing compliance with international data protection laws.

4. Invest in Security & Encryption

Regardless of where data is stored, encryption and security best practices should be a top priority. Businesses should implement:

• End-to-end encryption to protect data at rest and in transit
• Multi-factor authentication (MFA) to prevent unauthorized access
• Regular security audits to identify vulnerabilities and mitigate risks

5. Educate Employees & Stakeholders

Human error is one of the leading causes of data breaches. Organizations should conduct regular training programs to educate employees on data residency policies, cybersecurity best practices, and regulatory compliance requirements.

The Future of Data Residency

As digital transformation continues, data residency will remain a critical consideration for businesses worldwide. Governments are expected to introduce stricter data protection laws, and organizations will need to adopt hybrid cloud solutions to balance compliance, performance, and security.

Emerging technologies such as edge computing and sovereign cloud solutions will also play a significant role in shaping the future of data residency. These innovations will allow businesses to process data closer to their users while maintaining control over data sovereignty and compliance requirements.

Conclusion

In today’s data-driven world, organizations cannot afford to overlook the importance of data residency. From regulatory compliance and data security to customer trust and operational efficiency, where and how data is stored has significant implications for businesses across all industries.

By proactively adopting data residency best practices, investing in secure cloud infrastructure, and staying informed on evolving regulations, organizations can mitigate risks, enhance performance, and maintain compliance in an increasingly complex digital landscape.

As businesses continue their journey toward cloud-first strategies, choosing the right data residency approach will be a key differentiator in ensuring long-term success.

In today’s digital landscape, data powers innovation and operations. Yet, not all data is managed or secure. Shadow data refers to sensitive or critical information existing outside formal IT oversight. Often hidden, this unmanaged data poses significant risks.

Defining Shadow Data

Shadow data includes any data residing outside authorized, tracked environments. Examples include:

• Test Data: Production data copied to test or staging environments without proper masking.
• Unsecured Cloud Data: Files in misconfigured or unauthorized cloud storage.
• Legacy Data: Sensitive information in outdated systems.
• Shared Data: Information exchanged via unauthorized apps or personal devices.

Shadow data is essentially unmanaged data, exposing organizations to unnecessary risks.

Why Shadow Data Exists

Several factors contribute to shadow data:

1. Data Replication: Production data is often replicated for testing or analytics without proper anonymization.
2. Cloud Complexity: Multi-cloud strategies make it harder to monitor data storage.
3. Legacy Systems: Outdated systems often hold unmanaged sensitive information.
4. Collaboration Tools: Platforms like Slack or Google Drive encourage data sharing outside secure environments.
5. Human Error: Employees may store or share data improperly.

Risks of Shadow Data

Shadow data poses substantial risks, including:

1. Higher Breach Costs

According to the 2024 “Cost of a Data Breach Report,” breaches involving shadow data cost 16.2% more, with an average of $5.27 million. These breaches take longer to detect and contain, lasting 291 days on average compared to 227 days for other breaches.

2. Compliance Issues

Unmanaged shadow data often includes sensitive information like PII, putting organizations at risk of non-compliance with regulations such as GDPR or CCPA.

3. Operational Inefficiencies

Shadow data creates blind spots in IT systems, making operations and decision-making less effective.

4. Increased Vulnerabilities

Unsecured shadow data is an easy target for attackers, increasing the likelihood of breaches.

Identifying Shadow Data

Finding shadow data requires comprehensive discovery and mapping. Key strategies include:

1. Automated Discovery and Data/Risk Profiling Tools

Use tools to scan environments, uncover unmanaged data sources, and profile sensitive data to assess associated risks.

2. Cloud Monitoring

Regularly monitor cloud configurations for unauthorized data storage.

3. IT Landscape Audits

Audit the IT landscape to identify outdated or unmanaged data and ensure all environments are accounted for.

4. Employee Feedback

Encourage employees to report shadow data practices they encounter.

Mitigating Shadow Data Risks

Addressing shadow data involves proactive management and security measures:

1. Centralize Governance

Adopt standardized data policies across all environments to reduce inconsistencies.

2. Mask Sensitive Data

Anonymize production data used in test environments to minimize exposure.

3. Control Access

Limit data access to authorized personnel and enforce multi-factor authentication.

4. Continuous Monitoring

Deploy tools that continuously track and analyze data flows to detect anomalies.

5. Employee Training

Educate staff on shadow data risks and proper data management practices.

Role of Tools in Managing Shadow Data

Specialized tools help simplify shadow data management:

• Environment Management Tools centralize oversight and improve governance.
• Test Data Management Tools automate data masking and provisioning.

Conclusion

Shadow data is a hidden threat with serious implications for security, compliance, and efficiency. Organizations must take steps to discover and secure this data, integrating strategies like centralized governance, data masking, and continuous monitoring. By proactively managing shadow data, businesses can reduce risks and ensure a more secure, streamlined IT environment.