The EU Digital Operational Resilience Act (DORA) Guide

‘EU Dora’ is the answer from the European Commission to the rising tide of cyber risks facing financial institutions with resilient ICTs. It introduces mandatory measures for organisations to strengthen their digital operational resilience.

The full name is “Regulation (EU) 2022/2554 of the European Parliament and of the Council of December 14 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)”.

In this article, we examine the essence of DORA, who it affects, and the critical steps toward compliance, which will become necessary by 2025.

Key Points on EU DORA Regulation

• The European Union Digital Operational Resilience Act (DORA) from the three European supervisory authorities and the European Banking Authority aims to enhance financial entities’ cybersecurity and ICT risk management within the EU, requiring them to implement detailed ICT risk frameworks and incident reporting protocols.

• DORA encompasses a wide range of financial institutions. It includes a clear timeline for implementation, with the operational requirement starting on January 17, 2025, and transition periods designed to facilitate phased compliance and readiness among entities.

• The objective remains to strengthen the operational resilience of critical ICT systems to support a sound EU financial system. European Council adopted DORA to ensure their financial systems can withstand and respond to security payment-related incidents and related ICT systems used by the financial sector.

• Under DORA, financial entities must conduct comprehensive risk management, systematic incident reporting, and regular operational resilience tests. At the same time, ESAs oversee compliance, enforce regulations, and support the management of ICT third-party risks.

Exploring the Digital Operational Resilience Act (DORA) for the financial sector

The digital transformation has revolutionised the financial sector, with advancements like crypto assets and digital finance strategies becoming commonplace. However, these technological changes have also brought about new challenges, with the industry becoming increasingly vulnerable to severe operational disruptions from ICT incidents.

Enter DORA, the game-changer that seeks to fortify the EU financial sector’s digital resilience.

DORA is the collaborative work of the relevant European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs). DORA enforces a rule upon financial entities to tackle cyber risk by creating a thorough ICT risk management framework, including strategies, policies, procedures, protocols, and tools to mitigate ICT risks.

DORA presents organised incident reporting protocols, necessitating financial entities covered to track, record, and report significant ICT incidents, thereby boosting operational resilience.

Understanding the Scope of DORA Legislation

DORA’s impact stretches over a wide array of financial and credit institutions too, encompassing:

• European securities firms

• Banks

• Fintechs

• European insurance

• Investment firms

• Other authorised European financial entities

Its impact on financial services institutions is significant, shifting the focus of these institutions from merely ensuring financial soundness to maintaining resilient operations.

It also applies to e-money financial services, crypto asset service providers, crowdfunding service providers or platforms and financial services firms.

DORA presents particular requirements for financial market participants, boosting their defensive measures and preventing and detecting severe operational disruption risks. This ensures that the economic infrastructure is about making profits and preparing for and overcoming potential disruptions.

DORA’s Connection with Information and Communication Technology (ICT)

DORA’s connection with ICT is like a knight’s bond with their armour, providing a protective shield against ICT-related threats. It imposes consistent requirements on financial institutions and their critical ICT providers, including provisions for:

• ICT risk management

• Incident reporting

• Operational resilience testing

• ICT third-party risk monitoring

DORA necessitates that financial institutions uphold a robust ICT infrastructure, considering the resilience of their operations and secure management of ICT systems. This encompasses critically ICT-related risk domains such as risk management, the security and continuity of the financial system and ICT systems, and financial entities’ overall digital operational resilience.

By doing so, the Digital Operational Resilience Act equips the financial sector with the necessary armour to withstand ICT incidents and recover from such events, ensuring ongoing operational stability.

Timeline and Implementation of DORA Compliance

Shifting to a new regulatory framework can sometimes seem like steering through a maze. Fortunately, DORA provides a clear timeline for its implementation. It was officially announced on January 16, 2023, and is scheduled to take effect on January 17, 2025. The transition period for entities to adhere to DORA requirements is also well-defined, providing a roadmap for a smooth journey to compliance.

Countdown to Compliance

At first sight, the countdown to DORA compliance might appear daunting. However, the journey becomes less daunting when broken down into manageable steps. The process involves initiating ICT business impact analysis surveys, conducting business impact analyses and conducting qualitative and quantitative business assessments.

In the implementation period, financial institutions are expected to assess their organisation’s scope, understand the five pillars of the Digital Operational Resilience Act, have comprehensive business continuity policies, and adhere to the 12 steps for DORA Act compliance. This responsibility extends to their suppliers, ensuring their business operations adhere to DORA regulations.

Transition Periods and Phases for the DORA framework to be in place

Achieving DORA compliance is a prolonged journey, not a race, with transition periods and phases permitting financial institutions to implement DORA requirements progressively.

The transitions encompass the implementation phase starting on January 17, 2025, and the development of draft regulatory technical standards by early 2024.

During the transition phase, financial institutions are expected to:

• Conduct comprehensive reviews of their governance arrangements, policies, controls, and risk assessment and mapping activities

• Ensure alignment with DORA requirements

• Reach significant milestones such as full compliance by January 2025.

The Pillars of DORA: Key Components Explained

DORA rests on five pillars, each tackling varied aspects of ICT and cybersecurity. These pillars are the foundational blocks underpinning financial entities’ operational resilience. They represent an all-encompassing approach to ICT risk management, encompassing:

• Strategies

• Policies

• Procedures

• Tools

These are aimed at minimising risk and safeguarding ICT assets.

Operational resilience testing stands out as a critical component. Under DORA, entities must form and maintain a solid digital operational resilience testing program to guarantee their capability to proficiently handle and alleviate risks associated with their ICT systems and services.

ICT Risk Management Essentials

Just like a ship’s captain steering through dangerous waters, financial institutions must manoeuvre the domain of ICT risk management. Establishing a comprehensive risk management framework in ICT involves the development of:

• strategies

• policies

• procedures

• ICT protocols

• tools

These components aim to mitigate risks and ensure the security, stability, and continuity of ICT services across an organisation, including those offered by cloud service providers.

The core components of an ICT risk management framework encompass strategies, impact minimisation tactics, protection and prevention measures, and response & recovery protocols, among others. Continuous risk assessment is executed through quantitative risk analysis models, supplemented by a constant risk management strategy that continuously monitors threats and adapts to emerging risks. Financial institutions are advised to prioritise robust cybersecurity technologies like firewalls, encryption, and intrusion detection systems to combat cyber threats effectively.

Incident Reporting Protocols

Incident reporting is similar to a ship’s log, recording any major ICT related incidents that threaten the security of the network and information systems. Financial entities must systematically monitor, document, and report ICT incidents as part of their initiatives to enhance operational resilience.

The European Supervisory Authorities (ESAs) are crucial in implementing technical standards and streamlining the incident reporting process. They are developing a unified procedure for reporting significant cyber threats and incidents and have released preliminary Regulatory Technical Standards concerning categorising major incidents and notable cyber threats.

Under DORA, incidents should be reported within four hours of classification or no later than 24 hours after detection.

Digital Operational Resilience Act (DORA) Testing Requirements

Testing is vital to any journey, ensuring the ship is seaworthy and ready to face storms. DORA mandates financial institutions to conduct threat-led penetration tests every three years and carry out vulnerability assessments and scenario-based testing annually.

Partnering with accredited providers like Cyphere can be a game-changer for financial institutions. Cyphere’s CREST-accredited penetration testing includes service quality-focused assessments, providing financial institutions with actionable guidance that covers strategic and tactical risk remediations.

The Role of European Supervisory Authorities in DORA

As lighthouses safely direct ships to the shore, the European Supervisory Authorities (ESAs) steer financial institutions towards DORA compliance. To ensure compliance of payment institutions with DORA, they establish rules governing:

• ICT risk management

• Incident reporting

• Operational resilience testing

• ICT third-party risk monitoring

This same oversight framework is crucial to maintaining resilient ICT systems.

The ESAs possess specific authorities under DORA, including establishing rules on ICT and third-party risk management and incident reporting. By offering early advice and recommendations and ensuring they maintain resilient operations during severe operational challenges, ESA collaborated with financial institutions to enforce DORA.

Monitoring and Enforcement Actions

The ESAs supervise financial institutions’ compliance with DORA regulations, similar to a watchtower monitoring a fortress. They have the authority, acting as markets authority and an occupational pensions authority, to implement enforcement measures, including the imposition of fines, to address non-compliance by institutions under DORA.

The enforcement of DORA requirements commences 24 months after it enters into force.

Collaborative Efforts for Enhanced Security

Collaboration is the key to success, and this holds in the realm of digital operational resilience. The ESAs improve security under DORA by utilising collaborative strategies, establishing a comprehensive framework on digital operational resilience, and promoting enhanced security measures.

Through collaborative endeavours, the ESAs facilitate digital finance strategy and the exchange of information with financial institutions. They develop technical standards and have formulated best practices, including integrating digital resilience across all operational levels and reinforcing firms’ resilience to mitigate technology and cyber risk.

The cooperation between ESAs and financial institutions has improved security in the EU financial sector, facilitated by a stringent regulatory and supervisory framework and guidance on risks and vulnerabilities.

Managing ICT Third-Party Risks Under DORA

Steering through the sea of digital operational resilience entails managing ICT third-party risks. DORA stipulates regulations regarding the following:

• ICT risk management

• Incident reporting

• Operational resilience testing

• ICT third-party risk management

Through the lens of DORA, managing ICT third-party risks is not an optional endeavour but a mandatory requirement for financial institutions. It enhances the control of ICT risks and improves the resilience of financial institutions. DORA proposes the following measures for managing third-party ICT risks:

• Maintain full responsibility for third-party ICT services

• Implement ICT risk-management

• Establish incident reporting procedures

• Conduct operational resilience testing

• Monitor ICT third-party risk

Due Diligence and Oversight Measures

Just as a ship’s captain must diligently oversee his crew, financial institutions must be diligent in managing third-party risks. This involves maintaining a register of all agreements with third-party account information service providers and instituting a thorough due diligence procedure for their assessment and designation.

A comprehensive risk assessment encompasses using automated platforms to identify, assess, manage, and continuously monitor third-party risks, including ICT service providers. Additionally, financial institutions must determine third-party compliance with pertinent information security standards.

DORA mandates financial entities to identify pertinent risks, ensure operational resilience, and notify competent authorities of significant ICT incidents.

Strategies for Maintaining Resilient Operations

Maintaining resilient operations under DORA involves mapping dependencies, managing third-party risk, and ensuring that the relevant authorities directly oversee critical providers.

DORA offers guidelines for third-party risk management, which encompass:

• Utilisation of a Third-Party Risk Management Platform

• Issuance of regulations by ESAs for ICT and third-party risk management

• Establishment of a framework for overseeing critical ICT third-party service providers

• Supervisory authorities directly provide supervision

Navigating Compliance: Tools and Resources for Financial Institutions

The voyage to DORA compliance is a journey that financial institutions need not embark upon alone. Various tools and resources can facilitate this journey, providing a compass to navigate the seas of compliance.

Gap Analysis and Readiness Checklists

Gap analysis and readiness checklists serve as nautical charts, clearly showing an organisation’s adherence to DORA requirements and identifying discrepancies. These checklists help institutions comprehend the necessary actions to achieve compliance and enhance cybersecurity standards.

Performing comprehensive gap assessments is akin to charting a map of the unknown, ensuring that every potential pitfall in the ICT landscape is identified and addressed for DORA compliance.

Partnering with Cyphere for your DORA requirements

Steering through the waters of DORA compliance can become more straightforward with a trustworthy partner. Cyphere provides professional cyber security services to facilitate DORA compliance for financial institutions. These services encompass:

• Secure development through DevOps

• Governance

• Compliance

• Risk Control

Cyphere provides various solutions, including capability building, maturity assessment, and technical risk validations such as penetration testing and vulnerability assessments in line with DORA training and testing requirements. This comprehensive approach to managing ICT third-party risks ensures effective information, communication, and technology asset management for third-party service providers.

Summary

In the complex waters of the digital finance world, DORA acts as a lighthouse, guiding the EU’s financial sector towards enhanced operational resilience. Addressing ICT risk management, incident reporting, and third-party risk management provides a comprehensive and uniform framework for managing ICT risks. With the European Supervisory Authorities playing a crucial role in its implementation and monitoring, DORA ensures that the EU’s financial sector withstands ICT-related disruptions and maintains resilient operations.

We offer free consultation to discuss your concerns. Should you need to schedule an assessment, get in touch. 

Frequently Asked Questions

What does DORA stand for?

DORA stands for Digital Operational Resilience Act.

What is the EU DORA?

EU DORA, or the Digital Operational Resilience Act, aims to improve operational resilience rules for the financial sector, covering various financial entities and ICT third-party service providers. Its goal is to establish a universal framework, removing potential gaps or conflicts between regulations in each EU member state.

Is Dora applicable in the UK?

DORA will be applicable in the UK by early 2025, and financial entities will be expected to comply with the regulation by that time.

Who is exempt from Dora?

Managers of Alternative Investment Funds and Insurance and Reinsurance Undertakings are exempt from DORA regulations. This exemption is specified in Article 2(3) of DORA.

What are the five pillars of Dora regulation?

The five pillars of DORA regulation are ICT risk management, ICT-related incident management, digital operational resilience testing, third-party management, and information sharing. These pillars form the basis of the legislation, addressing critical aspects of digital operational resilience.

What is the purpose of DORA, and why was it introduced?

The purpose of DORA is to enhance the resilience of the EU financial sector to ICT-related incidents. It was introduced to create a standardised framework for managing and reducing ICT risk due to the increasing dependence of the financial industry on digital technologies.