Article content
The Digital Operational Resilience Act (DORA) Explained
22.09.2022
5 min
DORA, the Digital Operational Resilience Act, is a regulation with a goal to ensure that all participants in the financial system have the necessary resources to mitigate cyber attacks and recover from disruptions associated with fraudulent activity. While this piece of legislation is still in the making, it’s expected to get the final approval already by the end of 2022.
This guide explains how DORA has been developing since the time it was proposed and gives insights into the influence that its implementation is expected to have. You will also find tips on how to prepare for these changes and avoid critical oversights, so read ahead!
Digital Finance Package: the Big Picture Around DORA
DORA is part of a larger digital finance package, the aim of which is to create a European approach that encourages technological development, ensures financial stability, and provides strong consumer protection.
Aside from DORA, this package features such elements as:
- A digital finance strategy
- A proposal on markets in crypto-assets (MiCA)
- A proposal on distributed ledger technology (DLT)
This legislative proposal complements the regulations already developed by other EU institutions, such as the Network and Information Security Directive (NISD) and the General Data Protection Regulation (GDPR).
All in all, this package optimizes the current legal framework by preventing the existing EU laws from posing obstacles to the use of new digital financial instruments. At the same time, it also ensures that novel tech solutions fall within the regulatory scope and operational risk management arrangements.
To Whom Does DORA Apply?
The Digital Operational Resilience Act will apply to:
- Traditional financial entities - banks, credit institutions, insurance companies, investment firms, etc.
- Non-traditional financial players - digital money institutions, crypto service providers, issuers of crypto-assets, etc.
- Other organizations - data reporting service providers, audit firms, ICT third-party service providers, etc.
Scope of the Digital Operational Resilience Act
DORA is being built around the following requirements:
1. Risk Management
Financial entities will need to develop and follow an ICT risk management framework. They should also establish strong communication with stakeholders who will be involved in the following tasks:
- Determining the degree of risk and impact resilience from ICT disruptions
- Creating business continuity strategies
- Designing disaster recovery plans
- Developing security controls for critical assets
As you can see, achieving the goal of uninterrupted business operations is beyond implementing a set of policies and requires entities to establish advanced backup and restoration networks.
2. Incident Reporting
According to the new rules, all financial entities will need to submit a root cause report no later than one month after a major ICT incident. DORA will introduce a common EU reporting channel for ICT-related events that will use uniform templates to replace multiple National Competent Authorities (NCAs).
The data that this centralized hub collects will reveal vulnerability trends across the financial sector and promote further optimization of ICT resilience and security.
3. Resilience Testing
To ensure the reliability of the established ICT defenses, financial firms will need to conduct regular digital operations resilience testing with the help of internal or external independent parties.
Together, such tests will form a digital resistance testing program that must feature:
- Clear methodologies
- Specific procedures and tools
- A set frequency
- A prioritization strategy
This requirement has already been mandatory for certain Financial Market Infrastructures (FMIs) dealing with Threat-Led Penetration Testing (TLPT) frameworks. DORA will simply expand its implementation across the financial services sector.
4. Information and Intelligence Sharing
DORA will enable a convenient exchange of cyber threat information between entities that belong to trusted financial communities. This will be used to spread knowledge regarding new fraud risks, data protection solutions, and operational resilience strategies.
5. Third-Party Risk Management
According to DORA, some third-party service providers will be considered critical if they:
- Are difficult to substitute in case of an operational disruption
- Have a large number of financial entities relying on it in terms of operational continuity
The compliance of such critical cloud service providers will be monitored via on-site and off-site inspections. Those who fail to fulfill this regulation might face a fine of up to 1% of daily worldwide turnover.
DORA’s Development Timeline
The creation of an extensive set of laws is a lengthy process. Here’s the timeline of the Digital Operational Resilience Act’s development:
- 24 September 2020 - the first draft of DORA was published by the European Commission
- 24 November 2021 - the Council of the European Union adopted its negotiating mandate
- 25 January 2022 - the trilogue negotiations between the co-legislators started
- 10 May 2022 - a provisional agreement was reached
- 23 June 2022 - the Council of the EU published the consolidated version of DORA
The release of DORA’s consolidated version means that the regulation should be able to come into effect by the end of 2022. Once DORA comes into effect, the regulations it contains will apply in all EU Member States.
How to Prepare for the Implementation of DORA?
As the estimated time of implementation of the Digital Operational Resilience Act approaches, there are several steps that organizations can undertake to start preparing for it:
1. Conduct a Gap Analysis
Perform a thorough risk assessment against all DORA's requirements to determine compliance gaps. This will help you get an idea of which parts of the ICT systems require reformation.
2. Determine Whether You Conduct Critical Activity
If you are a third-party ICT provider, you’ll need to identify whether you are a part of the critical category according to DORA. If that’s the case, start ensuring your compliance strategy has no oversights well in advance. This implies establishing dedicated regulatory teams and introducing advanced data security software.
Financial firms will also need to check which of the third-party cloud service providers they are working with are classified as critical.
3. Introduce a Threat-Led Penetration Testing Framework
TLPT, also known as Red Team Testing, is a controlled attempt to compromise the cyber resilience of an organization. This is done by simulating the tactics, techniques, and procedures (TTPs) of real fraudulent entities. Implementing this framework is an effective tactic for conducting regular security system checks.
Now Is the Perfect Time to Start Embracing the Changes!
The day when DORA comes into full force is just around the corner, so it’s essential to begin preparing for it already! With the information mentioned above, you are well-equipped to start building a custom strategy for your organization and implement all the required adjustments on time.