Under DORA, financial institutions and ICT providers are mandated to ensure end-to-end digital operational resilience, which explicitly includes physical systems that underpin ICT functionality—such as cooling, power supply, and environmental controls within data centres.
Key Embedded Requirements:
Risk management frameworks must include failure scenarios involving HVAC, UPS, and backup generators.
Testing protocols (including advanced threat-led penetration testing) should validate the resilience of physical systems supporting critical ICT.
Third-party risk oversight mandates continuous monitoring and contingency planning for facilities service providers.
Why These Are Overlooked:
Perceived as "non-digital" by IT governance teams.
Operational silos between IT and facilities management lead to gaps in integrated risk assessment.
Assumed reliability of legacy infrastructure masks systemic vulnerability.
Fiscal and Regulatory Penalties:
Fines can reach up to 2% of total annual worldwide turnover for critical ICT-related incidents attributable to insufficient risk controls, including environmental system failure.
Regulatory scrutiny intensifies with cross-border impact or repeat failures, leading to audits, reputational damage, and potential licence restrictions.
Embedding DORA into critical infrastructure is not optional—it is foundational to full-scope resilience and regulatory compliance.
1. Infrastructure Efficiency
Conduct regular energy audits and apply power usage effectiveness (PUE) metrics.
Implement high-efficiency cooling systems (e.g., hot/cold aisle containment, liquid cooling).
Consolidate and virtualise servers to reduce underutilisation and hardware footprint.
2. IT Asset Management
Maintain an accurate CMDB (Configuration Management Database).
decommission obsolete or redundant equipment promptly.
optimise server provisioning and monitor capacity in real-time.
3. Energy and Sustainability Management
Leverage renewable energy sources and green data centre certifications (e.g., LEED).
Install intelligent power distribution units (PDUs) for load balancing.
Integrate DCIM (Data Centre Infrastructure Management) tools for granular energy monitoring.
4. Network Optimisation
Use software-defined networking (SDN) for dynamic traffic control and reduced latency.
Rationalise and re-architect network topology to minimise complexity and cost.
Implement redundancy and failover mechanisms for uptime assurance.
5. Security and Compliance
Align with industry standards (ISO/IEC 27001, NIST, GDPR).
Enforce rigorous physical and cybersecurity protocols.
Conduct regular penetration testing and compliance audits.
6. Automation and Orchestration
Utilise AI/ML for predictive maintenance and resource allocation.
Deploy Infrastructure-as-Code (IaC) for consistent provisioning.
Automate backup, patching, and recovery processes.
7. Cloud Integration and Hybrid Strategy
Assess workloads for cloud suitability (public, private, hybrid).
Implement cloud bursting to handle demand spikes.
Maintain interoperability and avoid vendor lock-in through open architectures.
8. Operational Excellence
Define and monitor KPIs such as uptime, latency, cost per workload.
Streamline change and incident management processes.
Upskill staff with current certifications and technical training.
Self-Service BI Tools: Power BI/Tableau dashboards tailored to different user roles (e.g. partners vs finance).
Centralized Data Lake: Integrate data across systems (PMS, DMS, CRM) for a 360° view.
AI and NLP: Use natural language processing to analyze contracts, litigation trends, and client communications.
Better-informed client relationships
Improved profitability and pricing agility
Scalable legal operations
Reduced compliance risk
Stronger employee engagement and retention
Managing thrid party suppliers and internal teams we work with you to add value and out pace your competition
Peter Maher Limited Carpenter Court Maple Road Bramhall Stockport SK7 2HD