When searching online for the new EU Regulation for strengthening the cybersecurity of financial entities and their third-party IT providers, called Digital Operational Resilience Act or DORA, it is almost certain that you will stumble upon Dora the Explorer, the famous kids’ animation. However, there is a (secret) connection between the two terms, as DORA the Regulation can help you explore effective and efficient ways to become resilient against cyber threats. It is, hence, vital that you embark now on the adventure of achieving compliance with DORA’s requirements.
This article will help you navigate through the different technicalities.
What is DORA (Digital Operational Resilience Act)?
The Digital Operational Resilience Act (DORA) addresses a fundamental problem in the EU financial ecosystem; how the sector can stay resilient during severe operational disruption.
In the digital age, complex IT systems have become the beating heart of our economies. The inherent cybersecurity risks introduced by digital technologies are amplified by increased digitalization and connectivity, leaving society and the financial system more open to cyber threats or IT outages. Before DORA, financial institutions used capital allocation to manage the significant operational risk categories, but they needed complete control over all aspects of operational resilience. They must better address and integrate cybersecurity resilience into their larger operational frameworks.
The European Council press release provides a comprehensive statement of the purpose of the Digital Operational Resilience Act:
“DORA sets uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them, such as cloud platforms or data analytics services. DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats.”
The European Council issued the press release on 28 November 2022, when they adopted the Digital Operational Resilience Act (DORA).
Who Does DORA Impact?
Per Article 2 of the Regulation, DORA applies to financial entities, including banks, insurance companies, investment firms, and crypto-asset service providers. The Regulation also covers critical third parties offering financial companies IT and cybersecurity services.
Because DORA is a Regulation and not a Directive, it is enforceable and directly applicable in all EU Member States.
Another essential aspect is that DORA supplements the Network and Information Security (NIS2) directive, which provides cybersecurity requirements for protecting critical infrastructure, including the financial sector. DORA builds on the NIS2 directive and addresses possible overlaps via a “lex specialis” exemption.
How Does DORA Relate to GDPR?
DORA is mainly a cybersecurity regulation; however, compliance with its requirements is a great step ahead to protecting the privacy of sensitive personal data, such as financial records, mandated by GDPR. Nevertheless, it is commonly accepted that privacy and cybersecurity face the same risks; adversaries who are determined to break into banking systems (a cybersecurity breach) to compromise personal and financial data (a privacy breach).
At the same time, GDPR states that all covered entities, including financial ones, must establish and implement sufficient cybersecurity controls to safeguard the privacy of their customers’ data. Hence, DORA can become an excellent tool for financial organizations to comply with GDPR requirements.
What is the DORA Compliance Timeline?
According to Article 64, the Regulation entered into force on 17 January 2023 and, “It shall apply from 17 January 2025.”
It is also important to note that Article 58 specifies that by 17 January 2026, the European Commission shall review, “the appropriateness of strengthened requirements for statutory auditors and audit firms as regards digital operational resilience.”
What Are the Next Steps?
Each EU member state will transpose the “required” aspects of the Regulation into national legislation. The relevant European Supervisory Authorities (ESAs), including the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA), will develop technical standards that will be adhered to by all financial services institutions. The relevant national competent authorities shall supervise compliance with the Regulation and, where appropriate, enforce it.
What Does DORA Mean for EU Financial Operations?
The act stipulates standards, norms, and guidelines to guide financial organizations in managing IT and cyber risks. It highlights the importance that EU regulators place on reporting, communication, and assessments that must occur often and are made possible by standardized formats.
Many of the obligations outlined in the DORA rule, such as those for ICT risk management, are also covered in current financial sector standards like the EBA MaRisk Guidelines, with which financial organizations are familiar. However, in other instances, such as the monitoring and oversight of ICT service providers or auditing ICT systems, the DORA obligations go above and beyond what is currently in place.
DORA compliance is broken down into five pillars covering diverse IT and cybersecurity facets, giving financial firms a thorough foundation for digital resilience.
- ICT risk management: Internal governance and control processes ensure the effective and sensible management of ICT risk.
- ICT-related incident management, classification, and reporting: Detect, manage and alert ICT-related incidents through the definition, establishment and implementation of a cybersecurity incident response and management process.
- Digital operational resilience testing: Evaluate readiness for managing cybersecurity incidents, spot flaws, shortcomings, and gaps in digital operational resilience, and swiftly put corrective measures in place.
- Managing ICT third-party risk: This is an integral component of cybersecurity risk within the ICT risk management framework.
- Information sharing: Exchange cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures (TTP), and cybersecurity alerts, to enhance the resilience of financial entities.
How to Prepare for DORA Compliance Now
While developing the technical standards might take some time, financial entities do not have to sit and wait. Time (and money) is precious when preparing to achieve compliance with the DORA requirements. Organizations must assess and identify actions they can take to prepare for the new rules.
The following recommendations are a good starting point:
- ICT risk management: Evaluate the current governance and risk management techniques. Additionally, consider increasing funding for programs that help detect threats and incidents and strengthening enterprise-wide cybersecurity awareness training initiatives.
- Incident reporting: Evaluate the maturity of incident management and reporting to understand current state capabilities and gauge awareness of the various cybersecurity incident reporting standards relevant to the financial services industry. You should also check your ability to recognize near-miss situations.
- Board-level buy-in: It’s important to include board members in compliance conversations early. If they understand why process change is needed and how you plan to implement, you are more likely to get buy-in.
- Resilience testing: Recognize the talents needed to design and carry out resilience testing, including board member training sessions on the techniques used and their implications for repair.
- Third-party risk management: To assist in creating a risk containment plan, concentrate on enhancing contract mapping and assessing third-party vulnerabilities. Recognize the services that are essential for hosting fundamental business processes. Check to see if a fault-tolerant architecture has been implemented to lessen the impact of critical provider disruption.
Fortra can become your trusted partner in meeting the DORA compliance requirements. Our Infrastructure Protection solutions can help you build a resilient security posture to defend every part of your organization.
In addition, with solutions ranging from security awareness training, anti-phishing and ransomware protection, part of Fortra Email Security's portfolio of solutions, to managed detection and response, you can stay ahead of security threats and regulatory compliance requirements by implementing multiple layers of security in the framework of a security strategy that thwarts threats from inside and outside your organization.
Let’s talk about how we can help. Contact one of our cybersecurity experts for additional information.