The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. Its goal is to enhance the cyber resilience of the financial sector, ensuring that financial institutions, including banks, investment firms, and insurance companies, can withstand and recover from various types of digital disruptions and cyber threats.
What’s behind DORA?
In February 2016, the world saw it’s first cyber bank heist, proving that there was a systemic cybersecurity problem in the global financial system. And it’s only getting worse.
The financial sector has become increasingly dependent on digital systems and information. COVID-19 acted as a catalyst for this, increasing demand for online financial services and normalising work-from-home arrangements. This has opened up new attack vectors for hackers to exploit.
In April 2020, the Financial Stability Board (FSB) stated, “a major cyber incident, if not properly contained, could seriously disrupt financial systems, including critical financial infrastructure, leading to broader financial stability implications.” By looking at the Russian cyberattacks against Ukraine, it’s easy to see how increased dependence on digital systems is posing a greater threat to national and international critical infrastructure and systems. The financial cost and the loss of public trust from a cyberattack on the financial sector would be devastating.
The goal of DORA is to protect the European financial market’s integrity and stability by boosting the cyber resilience of the financial system as a whole. It is only as strong as its weakest link, so this can only be achieved with the cooperation of all private institutions.
What are the main areas of DORA:
1. Scope and Applicability:
- DORA applies to a wide range of financial entities, including banks, investment firms, insurance companies, payment service providers, and critical third-party ICT service providers.
2. ICT Risk Management:
- Financial entities are required to establish robust ICT risk management frameworks to identify, assess, and manage ICT-related risks.
- They must ensure that their ICT systems and tools are secure and resilient, and that they can maintain the continuity of critical functions during disruptions.
3. Incident Reporting:
- Entities must report significant ICT-related incidents to relevant authorities. This aims to improve the monitoring and response capabilities of the financial sector to such incidents.
- The reporting process is standardized to ensure consistency and efficiency in handling and analyzing incidents.
4. Testing and Cybersecurity:
- Regular testing of ICT systems and cybersecurity measures is mandated to ensure ongoing operational resilience.
- This includes conducting threat-led penetration testing to identify vulnerabilities and rectify them promptly.
5. Third-Party Risk Management:
- Financial institutions must manage risks associated with third-party ICT service providers, including cloud service providers.
- There are requirements for the oversight and monitoring of third-party providers to ensure they comply with operational resilience standards.
6. Governance and Oversight:
- Entities must have clear governance structures for ICT risk management, involving senior management and board-level oversight.
- They need to ensure accountability and proper allocation of responsibilities within the organization.
7. Regulatory Coordination:
- DORA encourages cooperation and information sharing between national and European supervisory authorities.
- This aims to create a harmonized approach to digital operational resilience across the EU.
What happens if I fail to comply?
Financial institutions have until 17 January 2025 to become compliant with its requirements. Organisations that fail to comply before the deadline are subject to multiple sanctions, including steep penalties, a ban on certain parts of their operations, or a prohibition against using certain third-party providers until compliance is assured. Not to mention, failure to achieve DORA compliance would cost organisations their reputation, market trust, and future business, jeopardising their survival.
What to do?
Affected institutions will have to take a holistic approach to cybersecurity, encompassing everything from cyber defences to business continuity planning. This will likely lead to an increase in operational costs, at least in the short term, but will prevent costly damages later.
Steps for Organizations to Comply with DORA
1. Know the requirements for your organisation.
Understand DORA’s full text and related guidelines. Identify applicable sections based on your organization’s profile.
2. Assess Security Posture.
Evaluate your current security measures to identify weaknesses and areas for improvement.
3. Enhance third-party risk management.
Ensure suppliers and service providers adhere to your cyber risk management standards through due diligence and regular audits.
4. Invest in cybersecurity training.
Provide ongoing training for employees to stay updated on the latest cybersecurity practices and threats.
5. Implement robust incident response plans.
Develop and regularly test comprehensive plans to handle cybersecurity incidents effectively.
6. Review and update IT infrastructure.
Assess and upgrade your IT systems to ensure they meet DORA’s resilience and security requirements.
7. Stay informed.
Keep up with updates to DORA, cybersecurity trends, and emerging threats to remain compliant.
8. Allocate resources appropriately.
Ensure sufficient budget, personnel, and tools are dedicated to maintaining cybersecurity and compliance efforts.
9. Regularly review and update.
Continuously monitor, review, and update your cybersecurity policies, procedures, and systems to maintain compliance and address new risks.
Conclusion
The act will establish a standardised and robust vendor risk management framework within the financial sector. Firms must ensure that their suppliers and service providers, especially those designated as critical third-party service providers, adhere to the same cyber risk management standards as they do. This will involve performing thorough due diligence, conducting regular audits, and potentially renegotiating contracts to incorporate clauses related to DORA compliance.
Despite DORA bringing new and more defined requirements than ever before, it’s not surprising. The ESAs have been increasingly putting greater emphasis on increased cybersecurity risk management practices within the financial sector for years.
While DORA is a significant and necessary step forward for securing European financial systems, it brings uncertainty and increased operational costs. Our team can help you navigate this. We can offer a security assessment to help identify security gaps and an advanced asset management solution to help improve your cyber defences.