The Digital Operational Resilience Act (DORA) will be fully effective on January 17, 2025. Its purpose is to prevent and minimize cyber threats in the EU financial industry by requiring firms to establish comprehensive information and communications technology (ICT) risk management frameworks.
While there is an awareness of DORA in the marketplace some firms do not fully understand its risks and consequences due to its broad scope. Similar to the introduction of the EU GDPR, many businesses might underestimate the effort needed to achieve compliance. Those outside the EU may overlook the need to adapt to the changes, which will potentially leave them at risk of not meeting the new regulatory standards.
To avoid this scenario, businesses should take proactive steps now. This article outlines key aspects of the regulation, provides recommendations, and suggests actions to prepare for January 2025.
Accelerating Operational Resilience in the Financial Sector
Digital operational resilience refers to a financial entity’s ability to establish, assure and review its operational integrity and reliability. Maintaining operational resilience in a rapidly evolving commercial landscape poses a significant challenge for financial institutions, especially with the increasing reliance on external environments, like the cloud, making the business landscape riskier and more complex.
In response to these challenges, the EU has introduced DORA, a robust regulatory framework aimed at harmonizing various EU regulations into a single regulation to be adopted by all EU member states. The primary objective of DORA is to enhance digital operational resilience and strengthen the IT security of financial entities such as banks, insurance companies and investment firms.
DORA is structured around five core pillars:
- ICT Risk Management: Establishing a comprehensive risk management framework for ICT systems, including policies, assessments and programs.
- ICT-Related Incident Response and Reporting: Standardizing the reporting of ICT incidents based on predefined criteria, timelines and templates.
- Digital Operational Resilience Testing: Testing and ensuring technology resiliency through techniques like vulnerability scanning and threat-led penetration testing.
- ICT Third-Party Risk: Implementing stricter controls and processes for managing third-party risks, including maintaining ICT outsourcing registers.
- Information Sharing: Facilitating the sharing of information on threat actor activity.
While these five pillars form the foundation of DORA, broader operational resilience requirements, typically handled by organizations’ business resilience and technology resilience functions, are also emphasized throughout the regulation. Therefore, these functions will be integral to any DORA compliance efforts.
Organizations Affected by DORA
DORA’s reach is extensive, covering over 22,000 entities, various types of financial firms, and ICT providers working with or for financial institutions. Understanding how proportionality affects an organization’s obligations under DORA is crucial. For instance, certain types of companies, such as small and non-interconnected investment firms, are exempt from specific articles of DORA but must adhere to a simplified ICT risk management framework.
A notable requirement is for ICT providers deemed critical third parties to establish an EU subsidiary within 12 months, if they do not already have one, to enable effective oversight. In addition, supervisory authorities retain the right to inspect critical service providers outside the EU, as necessary. Non-EU parent companies of EU financial services firms providing ICT services are considered third-party service providers under DORA and must comply with third-party risk management requirements.
Failure to comply with DORA could result in fines of up to 2% of total annual worldwide turnover for entities or a maximum of €1 million for individuals, depending on the severity of the violations.
Key Requirements for Compliance
DORA outlines specific and technical requirements for financial entities and ICT providers in four key areas:
- ICT Risk Management and Governance
- Incident Response and Reporting
- Digital Operational Resilience Testing
- Third-Party Risk Management
-
ICT Risk Management and Governance
DORA places significant responsibility on a company’s management body for digital operational resilience and ICT risk management. The management team must define, approve, oversee, and implement the ICT risk management framework, including a digital operational resilience strategy. The organization must allocate responsibility for monitoring ICT third parties or designate a senior manager to oversee ICT risk exposure. DORA also mandates that companies assign ICT risk to a control function and ensure the independence of ICT risk management functions, control functions and internal audit functions.
Organizations are required to establish cybersecurity protection measures, including policies and programs for patch management, encryption, security information and event management/managed detection and response, and various security testing mechanisms, such as penetration testing and vulnerability scanning.
DORA sets strict rules for incident response and reporting to regulatory bodies. Reports on major ICT incidents must be submitted to regulators and affected parties and consider criteria such as user impact, service downtime, data loss, and economic implications. The reporting requirements and time frames are detailed in the regulatory technical standards published by DORA.
Organizations should prepare for DORA by ensuring their business continuity plan includes risk assessments, recovery plans, incident management, data classifications, and crisis communication procedures.
-
Digital Operational Resilience Testing
DORA requires regular testing of ICT systems to assess defences and identify vulnerabilities. Test results may need validation by competent authorities. Various techniques, such as vulnerability scanning, penetration testing, red teaming, and tabletop exercises, can be used to validate test results.
Financial entities designated as significant under the ECB’s Single Supervisory Mechanism must undergo Threat-Led Penetration Testing (TLPT) at least every three years. Organizations must identify Critical or Important Functions and the systems supporting them to be targeted during TLPT.
-
Third-Party Risk Management
Financial institutions must proactively manage ICT third-party risk and update contractual arrangements to comply with DORA requirements. Establishing third-party registers and assessing the dependency on critical third parties is crucial for managing risk effectively.
-
Implementing an Effective Vendor Management Cycle
Organizations should follow a consistent process when working with key vendors, including selection, onboarding, due diligence, control establishment, ongoing assurance and offboarding.
Preparing for DORA
As the January deadline approaches, it is crucial to align with DORA’s requirements early and engage stakeholders, conduct gap assessments and start remediation efforts. DORA is a legal requirement, which makes it essential for organizations to act promptly to ensure compliance. Seeking support from experienced partners, like Kroll, that have expertise in cybersecurity assessments, incident response and risk management, can aid organizations in meeting DORA requirements effectively and on time.