Businesses around the world face a growing threat from cyber attacks. A wide range of industries, from banking to energy to transportation, are affected daily by cyber incidents. ICT risks grow and continue to endanger the security of the EU financial system.
A new regulation called Digital Operational Resilience Act (DORA) intends to improve the information and communication technology (ICT) security of financial entities in the European Union (EU). In response to the implementation, the EU’s financial sector must optimize their ICT risk management, including those of third parties.
This article aims to provide an overview of the Digital Operational Resilience Act (DORA), its five key requirements, what it means for the financial sector and how to achieve DORA compliance.
Understanding DORA
What is DORA, and why may it concern you?
DORA (Digital Operational Resilience Act) is the new EU regulation that became law on 16 January 2023. It aims to protect the financial stability of the EU and its consumers, ensuring they have the needed digital security. Its goal is to prevent the growth of cyber attacks within the financial sector and ensure that financial entities can secure their data, protect themselves from potential threats and respond to them effectively in such ICT-related events. DORA has established a regulatory framework of guidelines for digital resilience and boosting Financial Services Cybersecurity.
The DORA (Digital Operational Resilience Act) requires financial entities to conduct in-depth risk assessments and identify potential threats that could compromise their digital systems. Additionally, it directs companies to disclose any occurrences so that they can be tracked, controlled, and avoided from occurring again. The law intends to improve financial institutions’ information and communication technology (ICT) security in the European Union (EU).
On November 28, 2022, DORA was successfully and formally adopted by the Council and on December 27, 2022, the final text of the Digital Operational Resilience Act was published in the Official Journal of the EU. It is expected for DORA to enter into force on January 16, 2023, and the act will apply from January 17, 2025.
The five key pillars of the DORA regulation
By outlining some key pillars DORA helps organizations navigate the complexities of digital threats and operational disruptions. Here’s what you need to know about the impact and scope of DORA.
1. Risk management
Under the Digital Operational Resilience Act (DORA), financial entities are required to establish a robust risk management framework to effectively address ICT risks. This involves identifying, assessing, and mitigating risks related to ICT services, ensuring that all financial institutions, including crypto asset service providers, investment firms, and electronic money institutions, are protected from potential cybersecurity threats.
The European Supervisory Authorities (ESA), including the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), will ensure compliance with the DORA regulation across the EU’s financial sector. Financial institutions must adopt disaster recovery plans to maintain operational resilience and ensure proper oversight of their risk management processes, thus safeguarding critical functions from ICT-related risks.
2. ICT incident reporting
The DORA regulation mandates that financial entities report ICT-related incidents, such as data breaches or ICT disruptions, to national competent authorities and supervisory authorities within the EU. Timely and accurate incident reporting helps identify vulnerabilities and strengthens the financial ecosystem’s ability to recover from cyber attacks.
Financial entities and third-party service providers must also report incidents to ensure they can enforce DORA compliance and implement effective remedial measures. The three European supervisory authorities – European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) will monitor, and non-compliance could result in administrative fines and penalties. A comprehensive incident management approach, supported by a comprehensive checklist, helps evaluate operational resilience and maintain the cybersecurity measures necessary for information security.
3. Digital operational resilience testing
The DORA compliance journey requires the financial ecosystem to conduct digital operational resilience testing for evaluating operational resilience and verify their preparedness against ICT-related risks. These tests include regular threat-led penetration tests and risk-based assessments to evaluate the institution’s defenses.
Financial entities, including audit firms and reinsurance intermediaries, must perform resilience testing every three years, while annual risk assessments help identify vulnerabilities within their operations. By conducting these tests, institutions can enforce compliance with the DORA regulation as well as ensure they are prepared for ICT disruptions and data breaches.
Supervisory and competent authorities will oversee the testing and impose penalties if the critical benchmarks of the DORA requirements are not met. Penetration tests and risk assessments are crucial to ensuring operational resilience and demonstrating compliance with regulatory requirements.
4. Information and threat intelligence sharing
Sharing is caring. Under the DORA regulation, information security is strengthened through the sharing of information and threat intelligence among the affected institutions. To achieve DORA compliance, financial entities, including investment firms and crypto asset service providers, are encouraged to collaborate and share insights on emerging threats. This cooperation is vital for building a secure financial ecosystem, mitigating the challenges posed by ICT-related incidents as well as ease the incident management process.
Sharing actionable intelligence on cyber risks and information assets also helps protect against widespread cyber attacks that could affect multiple institutions. This collaborative approach enables entities to compensate customers quickly in the event of a data breach or other risk related to ICT services, reinforcing the sector’s operational resilience.
5. ICT third-party risk management
Managing ICT third-party risk is a critical aspect of the DORA regulation. Financial institutions, including audit firms and electronic money institutions must assess their third-party service providers to mitigate the ICT risk.
The DORA regulation mandates annual assessments of ICT third-party risk management processes. These assessments ensure that third-party service providers adhere to DORA compliance and have adequate measures in place for ICT risk management. Failure to implement its sufficient protocols may lead to non-compliance, resulting in administrative fines and remedial measures imposed by national competent authorities, across EU member states.
Who does DORA impact?
The DORA requirements are a prime concern of all financial institutions that operate with big amounts of data within the EU, including banks, credit institutions, insurance companies, payment processors, investment firms, and many more. ICT third-party service providers need to implement the law as well. The regulation impacts even financial institutions outside the EU that provide services in the EU.
DORA also affects a range of entities like crypto asset service providers, electronic money institutions, and reinsurance intermediaries, emphasizing the need for robust resilience across the ecosystem.
Organizations should determine whether they must abide by the regulation and take the necessary steps. If you are still deciding whether you are included in the institution list, contact us for more information.
What does history tell us?
Who remembers the implementation of GDPR on May 25, 2018? The General Data Protection Regulation (GDPR) is a European Union (EU) law regulation that governs the protection of personal data and the privacy rights of individuals within the EU.
At this time, businesses faced various challenges due to the significant changes in data protection requirements. However, many organizations tried to comply with the regulation by implementing necessary measures such as appointing data protection officers, conducting privacy impact assessments, and revising their data processing practices.
Unfortunately, some companies experienced penalties for non-compliance. After implementing GDPR, companies like Google, British Airways, and Marriott International received hefty fines.
The largest and more recent one so far is fine for Meta in May 2023, for €1.2 billion ($1.3 billion) by an Irish regulator over U.S. data transfers.
It’s important to note that fines can be adjusted during enforcement. GDPR authorities have been imposing penalties of up to 4% of a company’s annual global turnover or €20 million, whichever is higher.
Consider this
Relevant financial regulators will supervise financial institutions and organizations that provide services to financial institutions. They must follow specific terms to comply with DORA’s requirements, like incident reporting within a particular detection timeframe.
The DORA law demands enterprises to establish, adapt, and evidence risk-based policies to maintain resilience and high level of information security by tracking their KPIs for their security metrics program.
If you only utilize one digital service provider, DORA advises switching to numerous providers to maintain organization-wide security. It is best to use a variety of security vendors rather than relying just on one that might go out of business due to neglected cyber threats.
DORA Compliance Checklist for Organizations
Achieving DORA compliance requires a structured approach to managing ICT risks and ensuring operational resilience across your organization. Below is a detailed checklist that organizations, including financial institutions, and auditors, can follow to meet DORA requirements and safeguard against cyber threats.
Determine DORA Scope
Organizations must first identify whether they fall within the scope of DORA regulations. This includes assessing whether your entity qualifies as a financial institution, investment firm, or a provider of ICT services in the EU’s financial sector.
Consider which supervisory authorities oversee your compliance, such as the European Banking Authority (EBA) or the European Securities and Markets Authority (ESMA).
Evaluate your business activities, focusing on the critical services or ICT functions that could impact financial stability, and identify key third-party providers involved in ICT operations.
Create a Digital Operational Resilience Strategy
A comprehensive strategy is essential to ensure your organization can withstand ICT disruptions and other threats. Define a strategy that covers prevention, detection, response, and recovery from incidents. Ensure the strategy aligns with broader infosec goals and considers both internal and external threats.
Evaluate Risks and Vulnerabilities in Your ICT Systems
Conduct regular assessments of the to identify and evaluate vulnerabilities within your systems. Involve statutory auditors in reviewing the effectiveness of your risk management processes. Perform resilience testing, including penetration tests and scenario-based assessments, to identify and mitigate vulnerabilities. Consider emerging cyber threats that could impact your operational environment. Regular Cybersecurity Testing helps ensure that your systems are resilient against potential cyber threats.
Identify and Secure ICT Assets
Ensure the security of all essential ICT assets, including hardware, software, data, and networks. Implement security controls to protect these assets from data breaches and disruptions. Ensure third-party providers are compliant with DORA and have proper security protocols in place.
Establish an ICT Risk Management Framework
A well-defined ICT Risk Management Framework must be integrated into the organization’s overall strategy. The framework should address risks, including those from external service providers and internal vulnerabilities. Establish proper oversight and define roles and responsibilities for managing risks. Using Virtual CISO services ensure your framework is robust and aligned with regulatory standards.
Develop an Incident Response Plan
Create a formal incident response plan to ensure quick recovery from disruptions. The incident management plan should outline procedures for identifying, reporting, and addressing threats. Ensure incidents are reported to relevant authorities promptly and include protocols for maintaining service continuity.
Monitor ICT Systems
Continuously monitor your systems to detect early signs of threats or disruptions. Use monitoring tools that allow real-time detection of potential issues and suspicious activities.
Review and Update Statutory Audits
Engage with statutory auditors to ensure compliance by periodically reviewing your resilience strategies. Conduct regular audits to evaluate the effectiveness of your operational resilience approach and implement updates based on findings.
This DORA Compliance Checklist serves as a guide for organizations aiming to enhance resilience and meet regulatory requirements imposed by supervisory authorities.
Achieve Full DORA Compliance with AMATAS
Navigating new data compliance laws requires seamless coordination across your legal, compliance, IT, security teams, vendors, employees, and data protection authorities. Ensuring proactive communication and informed decision-making helps safeguard personal data, mitigate risks, and foster a strong culture of privacy.
Our Virtual DPO services can help you in managing risks, enhancing training, and maintaining compliance, so you can confidently meet DORA requirements and build lasting trust.
Need expert guidance on DORA compliance? Book a meeting with our experts today for tailored advice and comprehensive support.
