Wed, Jul 3, 2024
Preparing For DORA: A Guide For Financial Institutions
The Digital Operational Resilience Act (DORA) comes into full effect on January 17, 2025, and aims to prevent and mitigate cyber threats by establishing a comprehensive ICT risk management framework for the EU financial industry. The new EU regulation seeks to ensure that financial institutions and critical ICT providers advance their cybersecurity and operational processes to safeguard their key systems, enhancing the industry’s operational resilience.
While organizations may be aware of the new regulation, the span of organizations in scope of this regulation is expansive, and some may not yet fully understand its risks and ramifications.
As with the lead-up to the launch of the EU GDPR, many businesses may underestimate the amount of work required to become compliant, and those based outside the EU may not realize that they also need to pay attention to the changes. This could put organizations at risk of failing to meet the new regulatory requirements.
To prevent this and ensure that they are ready for the impending changes, businesses should take strategic action now. In this article, we outline the core aspects of the regulation, key recommendations and the steps organizations can take to prepare for January 2025.
Accelerating Operational Resilience in the Financial Sector
Digital operational resilience is defined as the ability of a financial entity to build, assure and review its operational integrity and reliability. This includes ensuring the security of network and information systems, whether through direct means or through indirect services provided by ICT third-party service providers.
Maintaining operational resilience in a fast-moving commercial environment is a critical challenge for financial institutions. Alongside continually evolving cyber threats, the sharp rise in organizational reliance on external environments such as the cloud has created a riskier and more complex landscape in which to do business.
In response, the EU has developed DORA, a robust regulatory framework aimed at harmonizing disparate EU regulations into a single regulation that will be implemented by every EU state. DORA’s overriding objective is to ensure digital operational resilience and to strengthen the IT security of financial entities such as banks, insurance companies and investment firms.
Under the regulation, all companies across EU member states must ensure that they understand the ICT risks facing their organization. They must then take steps to ensure they are able to monitor, detect, withstand, respond to and recover from ICT-related threats and disruptions. Such measures must be proportional to the potential risks.
DORA requirements are enforceable 24 months after entry into force (January 16, 2023). This means that financial entities are expected to be fully compliant by January 17, 2025. While some further details of the regulation are still being finalized—via the release of detailed Regulatory Technical Standards (RTS) and guidelines that support the initial Level 1 DORA text—an overview of the main aspects can help organizations understand and plan for the changes ahead.
Figure 1: DORA Implementation Timeline
The Five Pillars of DORA
DORA is based on the following five key pillars:
- ICT Risk Management
A comprehensive risk management framework for ICT systems including policies, procedures, regular assessments and programs
- ICT-Related Incident Response And Reporting
Standardized reporting of ICT-related incidents based on predefined criteria, timelines and templates
- Digital Operational Resilience Testing
Testing and assurance of technology resiliency through a combination of techniques including, but not limited to, vulnerability scanning and threat-led penetration testing (TLPT)
- ICT Third-Party Risk
Stricter controls and processes for third-party risk management and oversight, including upkeep of a suite of ICT outsourcing registers
- Information Sharing
Mechanisms for sharing information on threat actor activity
While these are the five core pillars or chapters of DORA, wider operational resilience requirements—often fulfilled by organizations’ business resilience and technology resilience functions—are frequently mentioned throughout the regulatory texts. These functions should therefore be key aspects of your DORA remediation program.
Some of DORA’s requirements are straightforward and align with previous/existing regulations applicable to the financial industry. Such requirements should therefore represent a small lift based on what organizations are already doing. Other requirements are more challenging and prescriptive and will require additional effort and resources in order to ensure compliance.
Regulatory Scope: Which Organizations Are Impacted?
The regulation’s scope is very broad and covers nearly all types of firms in the financial sector as well as ICT providers working with or for financial institutions. It is also very important to understand how proportionality affects your organization’s obligations in relation to DORA. For example, the regulation exempts certain types of companies, including “small and non-interconnected investment firms,” from Articles 5–15 of DORA but subjects them to what they term a “simplified ICT risk management framework.”
A notable requirement is that ICT providers deemed to be “critical third parties”—such as cloud platforms or data analytics services—need to establish a subsidiary within the EU within 12 months of designation (if they do not already have an EU establishment) to ensure that effective oversight can be implemented. As part of DORA, the supervisory authorities also retain the right to conduct inspections on critical technology service providers outside of the EU as deemed required.
While this sounds like an onerous requirement, the regulation does state that ICT providers may choose to establish a new subsidiary or may repurpose an existing subsidiary. It also states that the requirement to set up a subsidiary in the EU is not intended to prevent the ICT provider from supplying its services from facilities and infrastructure located outside the EU.
As with previous EBA guidelines on outsourcing, non-EU parent companies of EU financial services firms that provide ICT infrastructure or services (i.e., via an inter-affiliate arrangement) are considered “third-party service providers” and will be impacted by many of the third-party risk management requirements.
Firms must be aware of the potential risks of failing to comply with DORA. Entities found to be in violation may face fines of up to 2% of their total annual worldwide turnover or, in the case of an individual, a maximum fine of €1 million. The penalties applied will depend on the severity of the violations and cooperation with local national competent authorities.
The Key Requirements for Compliance
We have outlined key requirements for each area below.
ICT Risk Management and Governance
DORA puts great emphasis on a company’s management body/board being ultimately responsible for digital operational resilience and ICT risk management. It is incumbent upon the management body, for example, to define, approve, oversee and implement the ICT risk management framework, including digital operational resilience strategy, as well as maintain a level of “sufficient knowledge” of the risks and the measures in place to mitigate them. The management team must also allocate responsibility for monitoring ICT third parties or give a senior manager responsibility for overseeing the related ICT risk exposure. DORA also requires that companies assign ICT risk to a control function and ensure the separation and independence of ICT risk management functions, control functions and internal audit functions, i.e., three lines of defense.
Organizations are also expected to establish appropriate cybersecurity protection measures. This includes policies and repeatable programs in relation to, among other things, patch management and technical controls or solutions such as encryption, SIEM/MDR and various security testing mechanisms such as penetration testing, vulnerability scanning, secure configurations/hardening and tabletop exercises.
These requirements closely echo last year’s SEC rule changes, which require companies to describe board oversight of cybersecurity risks and management expertise in assessing and managing material cybersecurity risks. Both developments make it even more important for organizations to ensure that they can maintain and demonstrate a robust and up-to-date cyber strategy that supports and aligns with the organization’s business and digital strategies.
- Underpin Risk Management through Strategic Alignment
To ensure strategic alignment, businesses need to establish a clear link between their business objectives and the technology risks that may arise, and they must ensure a clear flow of information between businesses processes, their ICT risk management practices and senior management. This will enable more effective alignment with their overall business strategy and allow for swift identification and escalation of potential issues and remedial actions required in relation to ICT controls. Therefore, the alignment of strategic direction must be traceable throughout the entire governance framework and clearly stipulated in related policies and procedures.
Figure 2: Key Elements of DORA-Aligned ICT Risk Management Framework
Incident Response and Reporting
DORA includes stringent rules on incident response and reporting to regulatory bodies. Entities in scope of DORA are required to establish systems for monitoring, managing, logging, classifying and reporting ICT-related incidents.
Organizations are required to submit reports to both regulators and affected clients and partners for all major ICT incidents. The impact is determined by considering various criteria such as the number and relevance of users/clients impacted, the duration of service downtime, the geographical spread, the type of data loss, the severity of the impact, the criticality of the services and the economic impact. The exact reporting requirements and time frames were published in the second batch of RTS, as follows:
Content and Timelines for Reporting
Four Hours | An initial report notifying authorities within four hours of determining that the incident is major; for any incident, within 24 hours of detection |
Seventy-Two Hours | An intermediate notification within 72 hours of classifying the incident as major, outlining steps and progress made toward resolving the incident |
One Month | A final report outlining further details of the incident and its resolution, including an analysis of the root causes of the incident |
These requirements present extremely challenging turnaround times, demanding precise incident response plans and rapid, seamless coordination between internal incident response teams, impacted business functions, counsel and incident/forensics vendors. The requirements will add further pressure to organizations with presence in other jurisdictions such as the U.S., where organizations are now also required to disclose cyber incidents deemed to be “material” within four days under the new SEC rules.
In summary, the DORA regulatory technical standards for incident management classification and reporting:
-
Define criteria and materiality thresholds for determining major ICT-related incidents
-
Establish the content of the reports for major ICT-related incidents and for significant cyber threats
-
Set criteria for classifying cyber threats as significant, including high materiality thresholds for determining significant cyber threats
-
Determine the time limits for the initial notification and for each report
-
Estimate the aggregated costs/losses caused by major ICT-related incidents
In line with DORA’s aim of harmonizing the regulatory landscape for financial institutions and reducing the administrative burden and potentially duplicative reporting obligations for in-scope financial entities, DORA’s incident reporting requirements are “lex specialis” to other reporting requirements such as PSD2 and NIS2.
-
Enhance Incident Response with Business Continuity Management
Business continuity management—which spans organizations’ business and technical resiliency functions as well as IT and cybersecurity—is not only a key aspect of effective incident response but also critical to achieving true cyber maturity, as highlighted in our report The State of Cyber Defense 2023: Detection and Response Maturity Model. Organizations can prepare for DORA by ensuring they are as ready as they can be should an IT disruption arise. To do so, they should ensure that their business continuity approach includes:
- An enterprise risk map
- A business continuity policy
- Business impact assessments
- Extensive recovery plans
- An incident management plan
- Data and incident classifications
- Crisis communications procedures
- An incident register
- Regular testng of response processes
As highlighted in the diagram below, business continuity should be a continuous activity involving all key areas of the business.
Digital Operational Resilience Testing
DORA requires organizations to test their ICT systems regularly to evaluate their defenses and identify vulnerabilities. In some instances, test results and associated plans should be made visible or reported to and validated by the relevant competent authorities.
There are multiple types of testing techniques available to ensure the effectiveness of controls for DORA. These include vulnerability scanning, penetration testing, red teaming and tabletop exercises.
- TLPT in Summary
Financial companies deemed to have a critical role—essentially those deemed as “significant” under the ECB’s Single Supervisory Mechanism—will also need to undergo TLPT at least every three years. A subset of the company’s critical ICT providers will also be required to take part, depending on the scope defined for each test. TLPT is essentially a controlled assessment of the cyber resilience of an entity by simulating the techniques, tactics and procedures of real-life threat actors. Organizations are first required to identify essential services, which DORA terms “Critical or Important Functions” (CIFs). If disrupted, such services would or could have a material impact on the business, its clients and markets. Systems and processes—including those provided by third parties—that underpin these services also need to be identified, with a specific subset targeted during each TLPT.
DORA provides specific methodologies in which the threat intelligence collection and penetration test/red-team exercises must be carried out, including overall governance processes. It also points to TIBER-EU, a European framework for threat intelligence-based ethical red-teaming (comparable to CBEST in the UK), for detailed guidelines as to how they should be conducted. Most organizations will need to identify and procure both the threat intelligence and testing services from an accredited vendor. It’s very important to ensure that planning takes place well in advance because TLPTs are extensive, require detailed governance and planning and can often take up to nine months to execute the whole process (with additional time required for follow-on remediation activities).
Third-Party Risk Management
Given the increasing number of incidents and data breaches associated with third parties and the inherent risk associated with supply chains, it is unsurprising that third-party risk management is a key aspect of the new regulation and, for many organizations, the domain in which the largest remediation efforts are required. DORA not only applies to financial entities but also to the ICT providers that support the financial sector. As such, financial companies must be proactive in managing ICT third-party risk and be careful to proactively review and plan for key—and potentially onerous—requirements related to the updating of contractual arrangements. Failure to do so could mean that they will not be allowed to work with ICT providers unable to meet these requirements.
Figure 3: Minimum Provisions for Critical Third-Party Contracts as Defined by DORA
Financial institutions will also be required to map out their third-party ICT relationships and ensure that their CIFs aren’t too heavily dependent on one provider or a small group of providers, i.e., assess and mitigate concentration risk.
Those third parties assessed as “critical” to operations will require heightened controls and greater oversight. As such, a risk-based approach is recommended to managing this risk. DORA aims to support this task via the provision of third-party registers: a suite of predefined templates that must be populated and maintained by in-scope organizations.
Implementing an Effective Vendor Management Cycle
With third-party management critical to meeting the requirements of DORA, organizations should follow a consistent process when working with key vendors.
At a high level, this includes:
- Selection and onboarding
- Classifying vendors using a risk-based approach
- Undertaking due diligence on the selected third parties before contracting
- Establishing necessary appropriate controls
Ongoing Assurance
- Undertake assessments and ongoing management of the risk associated with using specific third parties.
- Maintain the respective outsourcing repositories/registers
Offboarding
- Complete the secure termination and offboarding of third party and company data.
Preparing for DORA: Next Steps
While the prospect of updating controls and processes in line with the new regulation can seem daunting, keep in mind that DORA is an evolution of existing obligations, practices and activities, many of which organizations will already be conducting in some way or already be looking to prioritize or enhance.
For example, financial services firms will already have aspects of the requirements in place in relation to business continuity planning and operational risk management, largely due to MiFID II and other sector specific regulations such as PCI-DSS . Take note, however, that DORA requirements can be very prescriptive and can introduce enhanced requirements.
This means that every organization will need to make critical changes to their internal controls environment in preparation for DORA’s enforcement. Given its comprehensiveness and complexity, early preparation and planning is key.
Important next steps include:
-
Gaining External Assurance
Partner with an external organization if needed to understand the impact of DORA on your firm and the level of requirements you will need to align with (taking advantage of the concept of “proportionality”) and to help with establishing an overarching DORA program, including the appropriate engagement and education/awareness of key internal stakeholders. Securing the support of all stakeholders is an important step in gaining buy-in, resources and budget to start designing and implementing compliant frameworks. As training and awareness initiatives will be required under DORA, it is important to begin establishing these as early on as possible.
-
Assessing Existing Frameworks
Conduct a detailed gap assessment of your ICT risk management/testing, incident management and third-party risk management frameworks and controls against DORA, ideally aligned with and in the context of key control frameworks and standards such as NIST and ISO27x.
-
Commencing Remediation
Time is of the essence, so don’t wait until the gap analysis work is complete to start remediation work in parallel. There is a lot of “no regret” remedial work that will be required regardless of gap analysis outputs, including building stakeholder awareness, establishing programs, setting up new incident reporting classification and reporting processes, managing population and ownership (ongoing maintenance) of third-party registers, building out of the enhanced risk management framework and (perhaps most onerously) identifying and uplifting ICT third-party contractual arrangements.
It is now just six months until DORA comes into force. Organizations need to remember that it’s a law, not a recommendation or a guideline, so the associated regulatory risk and potential repercussions are very real. If they haven’t already started to do so, organizations must act now in order to be prepared before the final date to comply with DORA.
They can achieve this more easily and quickly by accessing support from partners with proven expertise. With unrivalled expertise in cybersecurity assessments and program design, cyber resilience risk management, incident response, digital resilience testing and third-party risk management, Kroll is uniquely positioned to provide in-depth support to help your organization prepare for and fully meet DORA requirements. We have a long track record of working with financial institutions to enable them to achieve their security and regulatory goals. Learn more about our services.
Cyber Governance and Strategy
Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.
Virtual CISO (vCISO) Advisory Services
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.
Data Protection Officer (DPO) Consultancy Services
Kroll's data privacy team provide DPO consultancy services to help you become and stay compliant with regulatory mandates.
Financial Services Compliance and Regulation
End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.
