DORA, the Digital Operational Resilience Act, is a regulation with a goal to ensure that all participants in the financial system have the necessary resources to mitigate cyber attacks and recover from disruptions associated with fraudulent activity. While this piece of legislation is still in the making, it’s expected to get the final approval already by the end of 2022.
This guide explains how DORA has been developing since the time it was proposed and gives insights into the influence that its implementation is expected to have. You will also find tips on how to prepare for these changes and avoid critical oversights, so read ahead!
Aside from DORA, this package features such elements as:
This legislative proposal complements the regulations already developed by other EU institutions, such as the Network and Information Security Directive (NISD) and the General Data Protection Regulation (GDPR).
All in all, this package optimizes the current legal framework by preventing the existing EU laws from posing obstacles to the use of new digital financial instruments. At the same time, it also ensures that novel tech solutions fall within the regulatory scope and operational risk management arrangements.
The Digital Operational Resilience Act will apply to:
DORA is being built around the following requirements:
1. Risk Management
Financial entities will need to develop and follow an ICT risk management framework. They should also establish strong communication with stakeholders who will be involved in the following tasks:
As you can see, achieving the goal of uninterrupted business operations is beyond implementing a set of policies and requires entities to establish advanced backup and restoration networks.
2. Incident Reporting
According to the new rules, all financial entities will need to submit a root cause report no later than one month after a major ICT incident. DORA will introduce a common EU reporting channel for ICT-related events that will use uniform templates to replace multiple National Competent Authorities (NCAs).
The data that this centralized hub collects will reveal vulnerability trends across the financial sector and promote further optimization of ICT resilience and security.
3. Resilience Testing
To ensure the reliability of the established ICT defenses, financial firms will need to conduct regular digital operations resilience testing with the help of internal or external independent parties.
Together, such tests will form a digital resistance testing program that must feature:
This requirement has already been mandatory for certain Financial Market Infrastructures (FMIs) dealing with Threat-Led Penetration Testing (TLPT) frameworks. DORA will simply expand its implementation across the financial services sector.
4. Information and Intelligence Sharing
DORA will enable a convenient exchange of cyber threat information between entities that belong to trusted financial communities. This will be used to spread knowledge regarding new fraud risks, data protection solutions, and operational resilience strategies.
5. Third-Party Risk Management
According to DORA, some third-party service providers will be considered critical if they:
The compliance of such critical cloud service providers will be monitored via on-site and off-site inspections. Those who fail to fulfill this regulation might face a fine of up to 1% of daily worldwide turnover.
The creation of an extensive set of laws is a lengthy process. Here’s the timeline of the Digital Operational Resilience Act’s development:
As the estimated time of implementation of the Digital Operational Resilience Act approaches, there are several steps that organizations can undertake to start preparing for it:
1. Conduct a Gap Analysis
Perform a thorough risk assessment against all DORA's requirements to determine compliance gaps. This will help you get an idea of which parts of the ICT systems require reformation.
2. Determine Whether You Conduct Critical Activity
If you are a third-party ICT provider, you’ll need to identify whether you are a part of the critical category according to DORA. If that’s the case, start ensuring your compliance strategy has no oversights well in advance. This implies establishing dedicated regulatory teams and introducing advanced data security software.
Financial firms will also need to check which of the third-party cloud service providers they are working with are classified as critical.
3. Introduce a Threat-Led Penetration Testing Framework
TLPT, also known as Red Team Testing, is a controlled attempt to compromise the cyber resilience of an organization. This is done by simulating the tactics, techniques, and procedures (TTPs) of real fraudulent entities. Implementing this framework is an effective tactic for conducting regular security system checks.
The day when DORA comes into full force is just around the corner, so it’s essential to begin preparing for it already! With the information mentioned above, you are well-equipped to start building a custom strategy for your organization and implement all the required adjustments on time.
Thank you for reaching us. Your request has been sent successfully. We will get back to you as soon as possible.
Message was not sent