I spend a lot of time talking to CISOs and heads of cybersecurity in financial firms about the things that keep them up at night. Top of the list of sleep inhibiting concerns is how on earth do they keep up with the slew of regulatory frameworks that are either currently in force or hurtling fast towards them.
Commonly referred to as DORA, the Digital Operational Resilience Act Regulation (EU) 2022/2554 is a new regulatory framework established by the European Union. Its aim is to strengthen the digital resilience of financial organisations against cyber security and information communications technology (ICT) related disruptions. It comes into force on 17th January 2025.
The Thinking Behind DORA
With the finance world becoming more technology dependent – from online banking to blockchain – we’re not just talking about bankers anymore. There’s a whole ecosystem of tech partners, data providers and cloud services tied into the delivery of financial services. All that connectivity makes for one sprawling threat surface, ripe for cyber-attacks.
Before DORA, the approach to operational risk in finance was pretty straightforward. Companies set aside capital to handle potential losses. Traditional risk management didn’t fully cover today’s tech-heavy landscape. ICT (Information and Communication Technology) incidents weren’t getting the attention they deserved. Some go so far as to describe DORA as being introduced to address a critical gapin EU financial regulation. That may seem harsh but when you dig into it, it’s probably a fair assessment of the situation.
So, what happens when DORA comes into play? Financial institutions will have to follow a rigorous playbook for handling technology-related incidents. We’re talking about five main pillars: protection, detection, containment, recovery and repair. DORA zooms in on ICT risks like a laser, laying out rules for risk management, incident response and reporting, resilience testing, and even the oversight of tech partners.
In short, operational resilience isn’t just about keeping enough funds to ride out the rough patches—it’s about ensuring the entire system can bounce back from tech disruptions. DORA is stepping in to make sure financial services can withstand, recover and thrive, even when ICT issues occur.
The Scope of DORA
DORA’s scope is extensive, encompassing a broad spectrum of financial institutions from banks and insurance companies, to investment firms and payment service providers. Importantly, the regulation also extends to third-party providers offering ICT services to these financial entities.
By including any institution engaged in financial transactions or services, DORA ensures that all critical players within the financial ecosystem will be bound by its strict compliance standards. This broad scope ensures that all relevant entities within the financial ecosystem are required to meet the rigorous DORA compliance requirements.
Five key pillars of DORA
Within the regulatory standards of DORA there are five key pillars:
1.IT Risk Management
Companies must establish a comprehensive IT risk management framework to identify, assess, and mitigate ICT risks. Regular assessments and updates are essential for effective risk management purposes.
2.IT Incident Reporting
Companies must demonstrate they have processes in place to detect, report and investigate ICT-related incidents. This includes having clear reporting channels, procedures for classifying incidents based on severity, and timely notification to relevant authorities.
3.Digital Operational Resilience Testing
Companies must regularly test their digital operational resilience abilities against IT disruptions. This testing should simulate various attack scenarios and assess the effectiveness of controls in place.
4.IT Third-Party Risk Management
Third Party Risk Management is of the utmost importance to operational resilience. Companies need to conduct due diligence on third parties, have contractual agreements outlining security expectations and monitor their performance. To minimise the chances of their disruption and breaches, these providers should be subjected to proper risk management processes by finance firms.
5.Information and Intelligence Sharing
Sharing information about cyber threats with different financial entities helps improve overall robustness within the industry. DORA encourages collaboration and information sharing on cyber threats among financial institutions. Sharing knowledge helps detect threats more efficiently and address them more effectively.
The Penalties for DORA Non-Compliance
The European Supervisory Authorities (ESAs) hold significant enforcement powers under DORA, with the authority to impose substantial fines on non-compliant firms. Organisations that fail to meet DORA’s requirements can face penalties reaching up to 2% of their total annual global turnover, while individuals may be fined up to €1,000,000.
For third-party providers deemed critical by the ESAs, the stakes are even higher. These providers risk fines of up to €5,000,000, with individuals facing penalties of up to €500,000 for non-compliance.
Additionally, if a financial institution neglects to report a significant ICT-related incident or threat, the ESAs can impose further fines, underscoring the high priority placed on operational resilience and transparency in the financial sector.
Preparing for DORA – how BlueFort Security can help
The journey toward DORA compliance can seem daunting, with its detailed requirements and demonstrable need for thorough ICT vendor management. Added to that, there’s no cookie cutter approach that will deliver DORA compliance. The specific actions a company needs to take will depend on factors such as size, threat profile, risk tolerance and the type of ICT systems they use.
The experienced team at the heart of our BlueFort Evolve cyber services program is here to help you navigate this journey. They are ‘on tap’ industry experts to help you cut through the noise and simplify the complexities around DORA compliance.
To help kick-start the process, we have devised a simple checklist which determines the actions needed to help achieve DORA compliance. These include:
Determining if you are in scope for DORA
Determine whether your organisation, or any of your third-party providers fall under the scope of DORA.
Conducting a gap analysis
Understand where work may be required in preparation for January 17th. Do your current standards meet DORA’s mandated requirements?
Identifying and assigning resources
Do you have the skills, time and resources required to become compliant?
Implementing a future-proof framework
Create an effective framework for DORA governance and risk management. Develop information security controls and comprehensive testing plans
Creating a seamless reporting mechanism
Put policies and procedures in place for adequate evidence generation to demonstrate compliance at any time.
Ensuring that staff are trained on DORA
There are a range of certified DORA training courses that provide the know-how and confidence to navigate the route to DORA compliance, as well as e-learning courses that cover essential compliance knowledge.
DORA signals a major shift in regulating cybersecurity. It has a clear purpose; to guarantee the ability of businesses to maintain operations in the face of severe disruptions caused by cyber threats and other significant ICT issues.
