The Ultimate Guide to DORA Compliance for the Financial Sector

The Digital Operational Resilience Act (DORA) for the financial sector was published in the European Union (EU) Official Journal on December 27, 2022, and entered into force on January 16, 2023. The main objective of the regulation is to strengthen the cyber security of financial entities such as banks, insurance companies, and investment firms.

The EU deems this necessary because of the growing risk of relying on Information and Communication Technology (ICT) related services that are increasingly vulnerable to disruptions and cyber-attacks. Complex IT systems have become the beating heart of our economies. The inherent cyber security risks introduced by digital technologies are amplified by increased digitalization and connectivity, leaving society and the financial system more open to cyber threats or IT outages.

DORA will require companies to focus on a digital resilience strategy supported by a respective resilience framework that includes all the transversal activities of the business. By introducing a consistent supervisory approach across the financial sector, DORA ensures the homogeneity and harmonization of security and resilience practices across the EU. Therefore, the Act requires an end-to-end view of the ICT ecosystem supporting critical business functions and a mature approach to business continuity, incident management, and third-party risk.

The framework changes the emphasis away from ensuring financial soundness and toward ensuring that financial firms can maintain resilient operations even in the face of severe operational disruption caused by ICT and cybersecurity issues.

The Act’s primary purpose is to ensure digital resilience policies and frameworks and their governance are integrated into an overarching resilience strategy at an enterprise-wide level. This approach calls for a shift in responsibilities. CEOs and the executive committee are now responsible and accountable for defining this strategy. Because achieving digital resilience would take efficient coordination between all departments inside financial institutions, which requires time, they should prioritize it on their upcoming agendas.

Under the DORA provisions, ESAs will play a vital role in the overall market’s digital resilience. Financial businesses can expect higher supervision from ESAs and more robust controls, with obligations such as:

• Defining policies
• Implementing a mature risk management framework
• Sharing mandatory reporting for ICT-related incidents
• Designing robust continuity and disaster recovery plans
• Performing mandatory annual resilience testing

ESAs expect a range of reporting and communication from financial institutions. This reporting will become a source of information that will deepen the knowledge of the EU cyber ecosystem.

One of the significant changes that DORA brings is digital operational resilience testing. According to the Act, there are two resilience testing categories:

• A mandatory annual internal testing with the financial institutions providing the findings report to the ESAs. This testing applies to all actors in the financial sector.
• Advanced testing at least every three years. Advanced testing by an external entity will allow ESAs to issue a certificate stating the company’s compliance regarding penetration testing. Failing to obtain the certificate could result in a potential halt of the company’s activities. It applies to companies answering specific criteria the regulator will define in the coming months.

DORA compliance is broken down into five pillars covering diverse IT and cybersecurity facets, giving financial firms a thorough foundation for digital resilience:

There is a wide range of entities that are affected by DORA. The regulation covers banks, payment institutions, investment firms, crypto assets service providers, and more. Additionally, critical third-party ICT providers are also regulated under the Act. Each critical ICT service provider will be designated a Lead Overseer (EBA, ESMA, or EIOPA).

DORA Applicability

DORA is a piece of a bigger puzzle put together by the EU. The strategy ‘A Europe fit for the Digital Age’ includes over 14 regulatory initiatives to shape Europe’s digital future over the next decade. Besides DORA, regulations such as the Artificial Intelligence Act (AI Act), the Digital Services Act (DSA), the Data Act, and many others will transform Europe's digital regulatory landscape.

These regulations share five recurring themes that refer to the General Data Protection Regulation (GDPR). Recognizing these common elements is key to successfully implementing and complying with DORA and the rest of the European digital regulatory package.

1. Reporting: All regulations, including DORA, introduce similar notification requirements in case of an incident, data breach, or any other event to the government or supervisory authorities. Organizations must also immediately report any significant ICT-related incident to affected users and clients.
2. Documentation: Another recurring theme is the obligation to record and keep documentation, archives, and records for logging information and activities. In the case of DORA, financial entities must register all significant cyber threats, which will require a more mature incident management capability to monitor, mitigate, and resolve cyber incidents.
3. Third-party management: The laws raise the bar for how businesses work with third parties and how much responsibility they retain. Accountability for further control over suppliers, business partners, or other third parties like software/cloud providers is also covered here. Financial entities are in charge of establishing contracts regulating the relationship with third parties with a minimum set of details to comply with DORA. Also, organizations ought to have a well-defined ICT third-party risk management plan.
4. Governance: Several digital rules share obligations relating to organizational and governance procedures that guarantee efficient risk management and regulatory compliance. DORA requires financial entities to have an internal governance and control framework to ensure efficient management of ICT risks. This procedure must be documented and reviewed per supervisory instructions at least once a year or in the event of significant ICT-related occurrences. Also, ICT auditors ought to perform routine audits of the management framework.
5. Assessments: Risk assessments and obligations for conformance have become widespread in the digital space. GDPR set the stage with the Data Protection Impact Assessment (DPIA). DORA requires financial institutions to analyze the risk associated with their outdated ICT systems periodically. Moreover, risk evaluations will be necessary for any outsourcing agreements that support the delivery of crucial or significant functions.

European financial institutions must prove compliance with numerous regulations and standards over the next two years. Besides DORA compliance, they must abide by PCI DSS 4.0, NIS2, and other EU laws. Complying with so many legislations will place much burden on the business’s shoulders. However, there are many overlaps. Financial institutions may consider following certain best practices to protect themselves from everyday cyber threats while building compliance and lessening the burden.

1. Scope and identify overlaps: Determine the organization’s risk appetite and identify the threats it currently confronts. Organizations can then examine their current policies, processes, and defenses to see where existing elements might be reused or modified to lessen the burden. These actions will help with project prioritization and budgeting to guarantee effective resource use.
2. Understand your environment: Understanding possible risks and threats requires clear and consistent visibility into your infrastructure, whether on-premises or in the cloud. Businesses can find areas that can be improved with vulnerability scanning, penetration testing, and red team exercises. Businesses can automate and enhance the frequency of these scans without affecting the teams engaged. A corporation may be able to react to tiny changes and hazards more quickly, thanks to this greater visibility.
3. Understand the changes to your environment: Just considering potential external attackers is insufficient. Financial institutions must also consider internal developments that could halt or break a system. To prevent errors from paralyzing an entire organization, configuration change management and file integrity monitoring can help to disclose what changed, when, and who made the change.
4. Automation: Several tedious and intricate security procedures can be automated. Organizations can better manage funds, time, and resources to ensure compliance and that everything runs smoothly if they can automate even 20% of those tasks.
5. Business continuity and resilience: Although prevention is crucial, organizations cannot wholly prevent compromises. Businesses must be ready to respond if something gets past security measures. How financial institutions prepare for such an incident is a crucial question. It is critical to how quickly businesses bounce back. To be resilient is to be able to survive an attack and quickly and effectively recover. In light of this, a mature approach to security and compliance balances prevention with response.
6. Information sharing: Sharing information can help reduce the work involved in spotting threats. Financial organizations can be better prepared by using the lessons learnt by other businesses in the industry. Information exchange should be used as valuable threat intelligence to lessen the continuous effect on the compliance and security teams.

The following actions could earn financial organizations some quick wins on their path to DORA compliance.

1. Realize what’s at stake: Recognize what has to be done, the situation as it stands, and the active projects. Financial businesses can then start carrying out their plans based on this image. Understanding that compliance, like security, will always be ongoing is crucial.
2. Identify internal risks: Businesses should pay attention to employees’ mistakes, even though external attacks are the more evident component of the equation. An employee may open a malicious attachment or click on a malicious link due to inattention. Making security a continual presence — technically and logically — is the best approach to avoid this. Existing safeguards can be supplemented with technical data loss prevention technologies and security awareness training.
3. Focus on your supply chain: Concentrating on the third-party supply chain, a critical part of DORA compliance, is another crucial element for risk mitigation. Organizations must be aware of the risks partners and suppliers pose, particularly those related to software and applications. The best way to do this is to thoroughly examine these partnerships to ensure they adhere to the standards of the hosting company.
4. Discover hidden vulnerabilities: Financial organizations must invest heavily in vulnerability scans and pen tests to maintain compliance and implement effective risk management. Because they provide a thorough grasp of the posture and the gaps, both are essential tools. The real-world effects that might not be realized in a risk assessment can be found through pen tests and vulnerability scans. They give security teams helpful information and insights they can use to improve the organization’s compliance security and get the support of the executives for allocating funds and resources to carry out projects. The results of these scans and tests can also be used to reprioritize jobs and projects since they give a more accurate picture of what can occur if an attacker takes advantage of these risks.
5. Partner with a managed service provider: Determine whether the company needs to hire more staff or if it can become compliant. Acquiring the tools necessary for security and compliance is only the first step. Organisations also need to consider the continuing management and administration requirements brought on by these extra resources. Hiring security professionals to develop a security team is difficult, and businesses must offer training to keep them. Now is the ideal time to think about managed security services, such as detection and response or data loss prevention. A managed service provider is a cost-effective strategy for security and compliance and significantly expands the current security staff.
6. Train your employees: Financial institutions must prioritize training their staff members on security awareness. The most current and efficient training is required. Avoid overburdening people with acronyms and technical jargon by concentrating on one subject per month. The information must relate to the employees’ day-to-day activities and give the context necessary to comprehend why a lack of security might be a serious issue for the organization.
7. Build layers of defense: Training is enormously influential. However, businesses need additional layers of protection to fortify the organization against evolving threats. These technology layers can help detect phishing emails, ransomware, and malware to prevent an attack from crippling the infrastructure or the ability to do business.

Fortra’s portfolio can help financial institutions comply with DORA requirements and every other European legislative initiative.

Mitigate infrastructure and software risks before they become an issue

Identify and address risks within your infrastructure, software, and web applications before an attacker can take advantage of them using Fortra solutions for:

Vulnerability Management: Fortra solutions help locate, analyze, prioritize, and track security weaknesses to maximize IT resources, effectively mitigate risks, and avoid costly breaches.

Penetration Testing: Fortra offers a robust platform that enables security teams to conduct advanced tests efficiently. With guided automation and certified exploits, organizations can safely test their environment using the same techniques as today’s adversaries.

Red Team Exercises: Fortra offers a threat emulation tool for cybersecurity professionals running adversary simulations and red team operations. Ideal for measuring an organization’s security operations program and incident response capabilities, Fortra utilizes powerful post-exploitation agents and covert channels to mimic an advanced threat actor quietly embedded in an IT network.

Data Protection: Fortra’s data protection offering combines data classification with data loss prevention and digital rights management to deliver data protection throughout the entire data lifecycle.

Mitigate threats to organizational resilience

Identify and address risks that could be introduced during day-to-day operations with Fortra solutions for:

Security Awareness Training: Fortra offers affordable, customizable bundle options for any organization’s size and budget. Implementing effective, scalable training programs and building a cyber-aware culture is easier than ever.

Phishing Protection: Solutions from Fortra for email security and anti-phishing can keep emails, brands, and data safe from sophisticated phishing attacks, insider threats, and accidental data loss with minimal business disruption.

Ransomware Mitigation: Fortra provides organizations with the tools to impede ransomware attacks and partners with them at every step to ensure security success. Fortra solutions support rich, deep use cases tailored to unique requirements.

Minimize the impact of attacks and mistakes

Implement proven methods of identifying attacks and mistakes early and minimize the impact with Fortra solutions for:

Managed Detection and Response: Fortra delivers managed detection and response (MDR) with comprehensive coverage for public clouds, SaaS, on-premises, and hybrid environments. MDR services enable organizations to outsource their cybersecurity needs to a trusted team of experts and leverage highly advanced platforms to maximize their security postures.

File Integrity Monitoring: Remediate unauthorized changes, reduce overall risk, and maximize uptime with file integrity monitoring (FIM) from the company that invented it.

Data Loss Prevention: Fortra’s enterprise solutions perform on traditional endpoints, across the corporate network, on cloud applications, and email, making it easier to see and block threats to sensitive information.

Contact Fortra today for help with achieving DORA compliance.