Cybersecurity is quickly becoming one of the most mission-critical departments in any business and country — and with good reason. Cyberthreats are on the rise in nearly every industry and nation worldwide. In response, the European Union is taking steps to protect its financial sector by implementing the Digital Operational Resilience Act.
DORA is a regulatory framework that aims to strengthen the financial sector's cybersecurity. The law will impact all EU member states by setting specific regulations to help financial companies and the third parties they work with withstand and respond to cyberthreats. While the act won't take effect until January 2025, it's best to understand its impact now so you can start preparing.
What Is the Digital Operational Resilience Act?
DORA intends to bolster the digital operational resilience of the EU's financial sector. It will do this through various requirements focused on ensuring the security of networks and information systems used by finance companies. The act also includes third-party information communication technologies businesses that provide critical and essential services such as cloud platforms and data analytics to the financial sector.
As cyberthreats grow, DORA sets out a standard regulatory framework for all EU member states to help the financial sector withstand, respond to and recover from any ICT incidents. DORA's primary goal is to try to stop or reduce the effects of cyberattacks.
DORA has five pillars to guide the financial sector toward improved digital resilience:
- ICT risk management
- ICT incident reporting
- Resilience testing
- Intelligence sharing
- Third-party risk management
Another aim of DORA is to improve our understanding of cyberattacks, which is why ICT reporting and information sharing are significant parts of the act.
Who Does DORA Affect?
DORA and finance are synonymous, as the act covers any financial institution that operates within the EU. Even if a business has headquarters in another country, it will be subject to DORA if it does business anywhere in the EU. Companies in these industries will feel the effects of DORA regulations.
- Insurance companies
- Credit institutions
- Payment companies
- Investment firms
- Electronic money institutions
- Crypto asset service providers
- Issuers of crypto assets and asset-referenced tokens
- Trading venues
- Trade repositories
- Managers of alternative investment funds
- Central securities depository
- Insurance and reinsurance companies and intermediaries
- Ancillary insurance intermediaries
- Credit rating agencies
- Data reporting service providers
- Statutory auditors and audit firms
- Crowdfunding service providers
- Financial systems providers
- Fintech companies
The Five Pillars of DORA
How does DORA work? The act's regulations cover five foundations, each focusing on a different aspect of digital resilience, from risk management to information sharing and testing. Let's break them down.
1. ICT Risk Management
The first pillar concentrates on ICT risk management. According to DORA, financial institutions must have a robust internal framework to mitigate and manage ICT risk. This ICT risk management framework should include strategies, policies and protocols that take effect in a breach.
Financial institutions need an ICT security system that can also identify any weak points or breaches. They should also have well-defined strategies for addressing these vulnerabilities, including recovering any stolen or lost data, strengthening the system after an attack, developing essential documentation and communicating the event to the relevant parties. Other elements of ICT risk management include:
- Creating business continuity plans
- Developing disaster recovery strategies
- Understanding how disruptions impact different assets
- Disruption tolerances
- Creating security controls for vital assets
- Developing backup plans for disrupted processes and systems
- Having backup and restoration networks in place
Don't forget about technology! Servers, computers, networks and laptops are integral to any business. As part of ICT risk management, companies must use reliable, stable and up-to-date technology to meet their ICT needs.
That doesn't mean buying top-of-the-range equipment and replacing it whenever something new comes out. Doing so is impractical, wasteful and expensive. Instead, companies should focus on equipment and technology that provide high-level security while still enabling staff to perform their duties. ICT risk management systems require annual reviews and internal audits to identify any weaknesses or opportunities for improvement before hackers attempt to exploit them.
Financial supervising authorities may also request to review the risk management systems companies have in place.
2. ICT Incident Reporting
One of DORA's primary aims is to harmonize the EU's response to ICT threats, improving understanding of vulnerabilities across the financial sector. ICT incident reporting is a central requirement of DORA. DORA requires companies to identify and document any noteworthy ICT incidents to the relevant authorities within a month of their occurrence.
After a breach, companies should evaluate the incident to understand and classify it, including who and what it affected. Data is the fundamental focus of reporting. When evaluating data, keep three elements top of mind — confidentiality, integrity and availability. Did hackers steal or alter the data, and is it still accessible? Or are you facing an Ashley Madison-level leak?
Additional elements to consider when classifying an incident include:
- The number of users affected
- How far or deep the breach reached into the system
- Which services or processes experienced problems
- How long services were down
- The severity of the incident
- If the impact spread across locations or branches
Once a company has appropriately categorized an incident, they can report it to the relevant authorities. Reporting consists of three stages — the first notification of an incident, an intermediate report with initial findings and a final report with a complete root cause analysis.
DORA has two additional objectives for the reporting process. One is to set up a central EU hub for reporting to various national or financial authorities. Having an EU hub will help streamline this process. Further, instead of several institutions only looking at the reports they receive, a central hub ensures one group reviews all the data to better understand the ICT threats facing the financial sector. The EU hub can then suggest strategies and policies that strengthen the financial industry against ICT risks.
The second objective is to create a standardized reporting template. Ideally, the template should guide companies on how to report an incident and what information is necessary. A universal reporting method can make it easier for the authorities to find the necessary information. It may also make developing strategies to protect against ICT risks easier, as all the relevant data is in one place.
3. Digital Operational Resilience Testing
Frequent testing is the only way to ensure a system is working correctly. DORA requires financial entities to undergo regular digital operational resilience testing by independent parties. These parties can be internal or external and need to test the ICT systems supporting essential functions, including any functions outsourced to third-party contractors. Testing should include threat-led penetration testing and take place every three years.
Then, companies also need to develop a response to the test results. For example, what steps will you take if testing shows your firewall is more of a suggestion than a functional barrier? Your frameworks should include procedures and policies to classify and prioritize vulnerabilities the testing reveals before fixing them. There should also be an internal validation process to thoroughly address any weaknesses or gaps.
4. Information and Intelligence Sharing
DORA encourages financial companies to share information and intelligence about cyberthreats. Like incident reporting, information sharing aims to highlight new threats and share best practices for data protection and operational resilience among financial institutions to help make the financial sector more secure.
Companies must share information in a way that protects any sensitive data, including clients' personal information and company operational secrets. The information should also follow the guidelines on competition policies.
5. ICT Third-Party Risk Management
The fifth and final pillar of DORA is ICT third-party risk management, and it may be one of the most challenging components to adhere to. Financial institutions that provide support for critical systems must manage the risk third-party ICT companies can present.
To do so, DORA requires companies to have a clearly defined contract that lays out the following:
- What ICT functions and services will the third party provide? The contract should indicate if the ICT service supports an essential system or process and any other conditions that apply to the subcontracting.
- Comprehensive service descriptions.
- What are the third party’s obligations in an ICT incident? These include assisting in addressing the incident and reporting it to the relevant authorities.
- Minimum notice periods and rights if either party wants to terminate the contract.
Under DORA, critical third-party service providers must comply with the act's regulations. These businesses have multiple financial institutions relying on them for operational continuity. Their services are also challenging to replace in the event of a disruption.
How Do You Prepare for DORA?
By starting early! While the EU enacted DORA in January 2023, it won't take effect or be enforceable until Jan. 17, 2025, so financial entities and third-party service providers that operate in the EU have time to prepare to meet the deadline. Further, many of DORA's technical requirements are still in the provisional agreement stage, meaning most of the standards are undrafted.
The fact that lawmakers are still finalizing some of the details is no reason to slack off. It is always better to start preparing early. Beginning your preparations now will ensure you have a solid foundation to build upon when DORA's requirements become final. By getting ready now, you may only need to make minor adjustments to be fully compliant. These preparations can also benefit you by making your company more digitally secure and resilient sooner.
Here are four ways you can prepare for DORA's enforcement.
1. Determine if DORA Will Affect You
The first step is straightforward. If DORA won't affect your business, you can save yourself considerable time and energy. DORA will impact your operations if you are a financial institution operating in the EU or a third party providing ICT support and service to EU financial institutions.
Your financial institution must evaluate your ICT risk management strategies and procedures to ensure they align with DORA. You will also need to decide if you consider any third-party ICT service providers mission-critical. Start by creating a list of critical and non-critical ICT subcontractors. During an ICT incident, you may need to turn to non-critical vendors as an alternative.
If your business is a third-party service provider, you will need to determine if you will be a critical ICT provider according to DORA. Service providers that fall under this category need to plan how to ensure compliance with the regulations set out in the act, including resilience testing and incident reporting.
2. Perform Gap and Maturity Assessments
Once you determine DORA will affect your company, you should perform a gap and maturity assessment on your ICT risk management, testing and governance policies and procedures. Ensure you assess your reporting protocols and how you communicate and deal with incidents. With all the new requirements for financial institutions and third-party providers, it's best to start by knowing what you already have in place.
Once you know what systems you already have in place, you can compare them to the requirements laid out in DORA. The assessments will help identify resources needed to make your company compliant — time, money, people or equipment. You can then plan system upgrades, policy adjustments and protocol implementations around your budget in a way that will have as little impact on your operations as possible.
3. Implement a Testing Framework
Testing is a significant aspect of DORA. If you haven’t already, look at implementing a testing framework. If you need to subcontract testing to a third-party provider, ensure they are aware of DORA and are working to become compliant. Your testing framework must include TLPT.
4. Evaluate Your Response and Recovery Strategies
When a cyberattack happens, you need to be ready to respond and recover as quickly as possible, so evaluate your response and recovery strategies. Even if you have well-defined and developed response strategies, they may not align with DORA requirements, particularly regarding incident reporting.
Prepare for DORA With Eden Data
DORA may sound intimidating. With the five pillars and its complex requirements for reporting, risk management and testing, where do you even begin? By contacting Eden Data. Our team of experienced cybersecurity specialists will do all the hard work for you, from comprehensive cybersecurity audits to developing DORA-compliant data security systems. We can even help with ICT risk management and operational testing!
Save time! Contact us today to start your DORA preparations!