The Digital Operational Resilience Act (DORA): What You Need To Know
Ensuring Digital Resilience
The Digital Operational Resilience Act (DORA) is a piece of legislation in the EU (Regulation (EU) 2022/2554) that aims to enhance the operational resilience of the financial sector. The frequency and severity of cyber threats within this sector are high and constantly evolving so the legislation has been designed to ensure that financial entities such as banks, insurance companies, payment institutions and stock exchanges have the necessary mechanisms, technical controls and processes in place to withstand and respond to cyber attacks, IT failures and other disruptions.
It emphasises the need for financial entities to identify and manage their risks, report major ICT-related incidents, sharing of information and intelligence relating to threats and vulnerabilities whilst ensuring effective governance, oversight and maintenance of a high level information security management system.
Compliance with DORA will be mandatory from 17th January 2025. With this in mind, it’s a good time to find out more about it.
What benefits will DORA offer and to who?
DORA is relevant to all financial entities operating within the EU, regardless of their size or complexity. This includes both traditional financial institutions and fintech companies, including vendors, merchants and issuers alike, that provide financial services such as payment initiation, account information and lending. The complete list can be found here.
The financial sector has become increasingly reliant on digital systems, which has led to greater efficiency, convenience and innovation. However, this increased reliance on technology has also increased the potential for cyber attacks and IT failures, which can have serious consequences for financial stability, consumer protection and market integrity.
The COVID-19 pandemic has highlighted the importance of operational resilience in the financial sector, as many financial entities had to rapidly adapt their daily operations to include remote or hybrid working, with an increased reliance on new digital solutions and communications channels. DORA aims to ensure that financial entities are well prepared for future crises and disruptions, and that they have effective mechanisms in place to protect consumers and market participants.
The key cybersecurity requirements of DORA
The impact of DORA on an organisation’s cybersecurity will be significant and will require companies to embed specific requirements into the three Ps (People, Products and Processes). These are divided into five core principles:
ICT Risk Management
- Effective and prudent governance, including policies and procedures
- A comprehensive and well-documented ICT risk framework
- Risk framework must include granular identification, protection, prevention, detection and treatment processes
- Robust business continuity plans, backups and business impact analysis
- Vulnerability, threat intelligence and information gathering capabilities
ICT Third Party Risk Management
- A comprehensive and well-documented ICT third-party programme as an integral component of the ICT risk management framework
- Adopt a strategy on ICT third-party risk management
- Robust and well-defined contractual agreements with any ICT third party service providers
- Ensure third party risk assessments and ESA driven assessments are provisioned
Digital Operational Resilience Testing
- Establish, maintain and review a comprehensive digital operational resilience testing programme
- Testing by independent parties
- At least annual testing for ICT systems and applications that support critical functions
ICT Incident Reporting
- A well defined and established incident management process to detect, manage and notify ICT related incidents
- Ability to classify and determine impact of ICT related incidents
- Reporting to the relevant competent authority all major ICT related incidents
Information Sharing
- Guidelines that encourage information sharing and collaboration among trusted communities of financial entities
- Entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cybersecurity alerts and configuration tools
What are the potential benefits of DORA?
The implementation of DORA should have a clear, positive effect on an organisation’s cybersecurity posture. By requiring financial entities to maintain a mature and robust cybersecurity framework and to identify and manage their risks in accordance with the regulation, the legislation will help to improve the overall security of the financial sector in the EU, reducing the likelihood of a cyber attack and the level of impact.
Potential challenges
Compliance with the new requirements will involve an investment of both time and cost in cybersecurity control measures and solutions, as well as requiring the skills and resources to adopt a proactive approach to managing cybersecurity risks.
Financial entities may face challenges in complying with the new requirements, particularly smaller and less complex entities that may not have the same resources as larger institutions . These organisations may benefit from the help of a cybersecurity consultancy supporting them through the compliance process in a way that suits both their cyber maturity and budget.
Nonetheless, the need for digital operational resilience in the financial sector is clear, and DORA represents an important step towards achieving this goal. Take a look at our DORA Compliance Service to learn how we can help you on your journey to compliance.
Talk To Us About DORA
Submit your details and a Razorthorn consultant will be in touch for a free, initial DORA consultation.
USEFUL LINKS
SERVICE: DORA Compliance Service
SERVICE: Compliance Frameworks
PODCAST: DORA Compliance Made Clear: Safeguarding Financial Institutions