The Digital Operational Resilience Act (DORA) is a framework that will ensure cybersecurity and risk management is comprehensive in the financial sector. We will discuss what DORA is and the five pillars relating to the DORA framework.
What is DORA?
DORA is a regulation introduced by the European Union in 2022 that ensures all financial institutions have effective risk management. This regulation was signed in January 2023, and allows all EU member states 2 years to implement this regulation. Financial organizations, as well as their third-party Information and Communication Technology (ICT) providers, have until January 17th 2025 to ensure they meet the risk management and resilience requirements stated in the DORA framework. The framework also ensures that the relevant organizations are more resilient to ICT-related threats and disruptions.
DORA is meant to bring harmony to ICT regulations for all EU member states, as well as thoroughly address ICT risk management for financial institutions in the EU. The aim of this is to ensure there are no gaps in regulation for different EU member states that could lead to conflict or increased risk. DORA will apply to:
- Financial organizations such as banks, insurance companies, investment firms.
- Asset managers.
- Crypto-asset providers and crowdfunding platforms.
- Cloud service providers and data centers (organizations that provide ICT services to financial organizations).
The Five DORA Pillars
There are five pillars that form part of the main DORA framework requirements. Each pillar has their own set of compliance or regulatory requirements. The pillars are listed below.
Management of ICT Risks: DORA sets out key principles around internal controls and governance structures to keep abreast with the quickly evolving cyber threat landscape. The ICT Risk Management framework includes:
- Financial organizations are required to have a comprehensive and well-documented ICT risk management framework, reviewed once a year, and upon the occurrence of major ICT-related incidents.
- Set-up and maintain strong ICT systems and tools that minimize the impact of ICT risk.
- All sources of ICT risks should be identified to set up protection and prevention measures.
- Fast detection of unusual activities should be established.
- Dedicated and comprehensive business policies and disaster recovery plans should be in place, ensuring fast recovery after an ICT-related incident.
- Establish mechanisms to learn and evolve both from external events as well as the organization’s own ICT incidents.
Management and reporting of incidents: DORA sets out when and how relevant organizations should report any ICT-related incidents. Organizations should:
- Establish and implement a management process to monitor and log ICT-related incidents.
- Classify the incident according to the criteria detailed in the regulation.
- Ensure the reporting of incidents to the relevant authorities using a common template and a harmonized procedure as established by the respective supervisory authority.
- Submit initial, intermediate, and final reports on ICT-related incidents to the organization’s users and clients.
Digital operational resilience testing: DORA defines common standards for digital operational resilience testing with the goal of ensuring organizations are prepared when ICT-related incidents happen. This includes:
- A full range of appropriate tests must be foreseen, including vulnerability assessments and scans such as:
- Open-source analyses
- Network security assessment
- Penetration testing
- Source code reviews
- Advanced testing of ICT tools, systems and processes based on threat led penetration testing (TLPT) or Red Team Testing.
At the end of the tests, financial organizations should communicate agreed reports and remediation plans to the competent authority and should confirm that penetration tests have been performed in accordance with these requirements. The rest of the requirements include:
- Elements within the ICT risk management framework should be periodically tested for readiness.
- Any weaknesses, deficiencies or gaps must be identified and promptly eliminated with the implementation of counteractive measures.
- Digital operational resilience testing requirements must be proportionate to the organizations’ size, business, and risk profiles.
- Conduct threat led penetration testing to address higher levels of risk exposure.
Managing third-party risk and regulating critical ICT service providers: Financial organizations will be required to observe several key elements in their relationship with ICT third-party providers. Contracts that govern this relationship will be required to include:
- Indication of locations where data is to be processed.
- Full service-level descriptions.
- Quantitative and qualitative performance targets.
- Relevant provisions on accessibility, availability, integrity, security, and protection of personal data.
- Inspection and audit by the financial organization or an appointed third-party.
- Clear termination rights and dedicated exit strategies.
- Ensure sound monitoring of risks originating from the dependencies on ICT third-party providers.
- Harmonizing key elements of the service and relationship with ICT third-party providers to enable complete monitoring.
- Ensure that the contracts with the ICT third-party providers contain all the necessary monitoring and accessibility details.
Information sharing: Financial organizations are allowed to set up arrangements to share cyber threat information and intelligence with each other, including indicators of:
- cyber security alerts;
- configuration tools.
Sharing must be done by financial organizations through information-sharing arrangements that protect the sensitive nature of the information shared, and that are governed by rules of conduct in full respect of business confidentiality, protection of personal data and guidelines on competition policy.
Although DORA seems like an overwhelming task to complete, it will ensure there is cohesive regulation among all EU member states regarding the financial sector. It will ensure there is effective and comprehensive risk management and bring harmony to regulation for all. The five pillars of DORA will need to be complied with, including management of ICT risk, managing and reporting of incidents, digital operational resilience testing, managing third-party risk, and information sharing. All relevant organizations in the financial sector and their third-party ICT providers will need to be compliant by the 17th of January 2025.
Contact SECURNITE for help with becoming DORA compliant.