Unsupported OpenJDK in Financial Systems: Hidden Risks

The EU’s Digital Operational Resilience Act (DORA) is a regulatory framework aimed at enhancing the digital operational resilience of financial institutions within the European Union.

Its primary goal is to ensure that financial entities can withstand, respond to and recover from all types of disruptions and threats related to information and communications technology (ICT), such as cyberattacks. It’s not to be confused with Google’s DevOps success metrics — also known as DORA.

The EU’s DORA framework establishes a uniform set of requirements for managing ICT risks across the financial sector, promoting a harmonized approach to digital resilience.

Key Points of DORA:

1. ICT risk management: Financial institutions must implement comprehensive risk management frameworks to identify, assess and mitigate ICT-related risks.
2. Incident reporting: Entities must report major ICT-related incidents to the relevant authorities within tight deadlines.
3. Testing and oversight: Regular testing of ICT systems, including penetration testing, is required to ensure operational resilience. Additionally, critical third-party ICT service providers will be subject to oversight.
4. Third-party risk management: Institutions must carefully manage and monitor risks associated with third-party ICT service providers, including cloud services.
5. Information sharing: DORA encourages financial entities to share information on cyber threats and vulnerabilities to improve collective resilience.

Five Important Tasks for Compliance

If you are a CISO or are in an IT compliance-related role in a financial institution in the EU, what exactly do you need to do to ensure your organization is in compliance with DORA, particularly in relation to your Java investment?

Put the five critical tasks below on the list of things that you need to start doing right now, since DORA will apply as of Jan. 17, 2025.

1. Develop and Implement a Comprehensive ICT Risk Management Framework

• DORA Chapter II: ICT Risk Management – Articles 6(1-3), 8(1)

Chapter II mandates a strong ICT risk management framework. As one critical part of that, be aware that using unsupported OpenJDK distributions can expose financial institutions to significant risks, such as unpatched security vulnerabilities and performance issues. Work with a Java vendor that provides a fully supported and secure Java platform, ensuring that Java applications remain resilient and compliant with ICT risk management requirements.

2. Establish an Incident Reporting Mechanism

• DORA Chapter III: ICT-related Incident Reporting – Articles 17(1), 18(1)

Chapter III focuses on timely incident reporting. Unsupported OpenJDK distributions might not receive critical updates or fixes, leading to unreported and unnoticed incidents, which can result in noncompliance.

3. Conduct Regular and Rigorous Testing of ICT Systems

• DORA Chapter IV: Digital Operational Resilience Testing – Articles 24(1), 24(2), 25(1)

Chapter IV requires regular testing of ICT systems. Using unsupported OpenJDK distributions can undermine these tests, as outdated or vulnerable versions may not accurately reflect production environments, leading to false security assumptions. Ensure your Java vendor provides up-to-date, tested Java distributions, enabling reliable and accurate testing environments for financial institutions.

4. Enhance Third-Party Risk Management Practices

• DORA Chapter V: Management of ICT Third-Party Risk – Articles 28(2)

Chapter V addresses third-party ICT risks. Relying on unsupported OpenJDK distributions from third parties increases the risk of security breaches and operational failures. By working with a vendor who provides commercial support for your Java environment, you can ensure that third-party Java-based applications and services meet the highest security and performance standards, reducing third-party risks.

5. Facilitate Information Sharing on Cyber Threats

• DORA Chapter VI: Information Sharing Arrangements – Articles 45(1)

Chapter VI encourages sharing information on cyberthreats. Unsupported OpenJDK distributions may miss critical updates and patches, making them a weak link in the information-sharing chain.

Consequences of Using Unsupported OpenJDK

• Security risks: Unsupported distributions do not receive timely security updates, leaving systems vulnerable to cyberattacks and breaches.
• Compliance issues: Lack of support can lead to noncompliance with regulatory requirements like DORA, potentially resulting in fines and reputational damage.
• Operational instability: Unsupported distributions might not receive performance improvements or critical bug fixes, leading to system outages and degraded performance.
• Inaccurate testing: Outdated Java environments can cause testing environments to be less accurate, leading to vulnerabilities being missed in resilience tests.

By addressing these tasks, financial organizations invested in Java can safely navigate DORA’s requirements while strengthening their digital operational resilience. Financial institutions using Java can become and remain compliant with DORA by providing a secure, supported and stable Java platform, mitigating the risks associated with unsupported OpenJDK distributions.

By using Azul’s supported Java distributions, organizations can ensure they are aware of the latest vulnerabilities and can share relevant threat information with other entities to enhance collective cybersecurity. Azul’s Java runtimes come with comprehensive support and monitoring, and are fine-tuned for vulnerability and dead code detection of Java code live in production, helping organizations quickly and accurately detect, report and resolve incidents, ensuring compliance with DORA.