What is DORA?
The Digital Operational Resilience Act is a European framework that establishes a uniform approach regarding the security integrity of the information and communication technology (ICT) systems processed by participants in the financial markets within the European Union’s jurisdiction.
Why is it relevant/the context?
DORA aims to keep pace with increased digitisation and the use of ICT within financial markets. The increased digitisation across the financial system has amplified ICT risk without respective scrutiny on the operational resilience of the systems and processes in place.
Digitisation within the financial sector has reached a point where ICT systems are critical to the delivery of daily operations, whereas in the past some actions such as payments and securities clearing through to back-office activities were cash or paper based. It has also extended and deepened the inter-connected relationship with insurance organisations and intermediaries.
As such, the risk of an isolated incident spreading faster and posing a greater threat is more likely, resulting in potential systemic risk to the industry. In order to maintain faith in the financial markets and uphold investor confidence, the EU has recognised the need to implement a common approach to sustaining operational resilience.
Who is impacted by it?
More than 22,000 organisations will be impacted by DORA. The regulation is applicable to a wide range of entities, outside of purely critical financial entities, that may not have previously been mandated to focus on specific or prescriptive security measures by a previous directive.
Organisations that will be applicable to DORA include key financial entities, namely, credit and payment institutions, electronic money institutions, investment firms, central securities depositories, crowdfunding service providers as well as third-party ICT service providers, crypto-asset service providers, insurance providers and intermediaries. A full list is outlined in the Regulation (EU) 2022/2554 (DORA).
To keep pace with technological advancements as participants take up new digital services, a broad definition has been applied to ICT.
What does the Framework entail?
The regulations can be broken down into the following key areas:
1) ICT Risk ManagementOrganisations must have a sound, comprehensive and well-documented risk management framework. Furthermore, ICT processes, tools and protocols must be in place to identify, detect and respond to ICT related risks.
2) ICT related Incident ManagementIncident management is a critical aspect of any organisation and its importance is reflected within the regulation. Processes must be in place to handle incidents when they arise, covering the initial identification stage, all the way through to documenting any lessons learned. There must also be ways in which organisations classify incidents based on their criticality.
3) Digital Operational Resilience TestingOperational resilience testing is about testing the organisation’s infrastructure for vulnerabilities that can be exploited, as well as areas that can be improved upon. The regulations require that organisations adopt a risk-based approach and complete tests at regular intervals. Any significant issues raised should be documented and acted upon in a timely manner.
4) Information Sharing ArrangementsIt is important that an organisation is aware of the inherent risks that can come from the ICT supply chain that it operates with. Processes must be in place to manage and monitor these relationships effectively. Furthermore, organisations should ensure that contractual agreements with third-parties provide sufficient protection on matters such as security incidents, data breaches and data integrity.
5) ICT Third Party Risk ManagementFinally, organisations must have arrangements in place to share cyber threat information and intelligence with other entities. Information sharing is a powerful way of sharing best practices and alerting others about unknown issues.
The deadline and the importance of acting now
DORA came into force on the 16th January 2023, although organisations will be required to be compliant from the 17th January 2025.
Cyber Security Associates’ View:
DORA will act as a trigger for organisations to reassess ongoing projects and assess how they relate to the framework and ensure operational resiliency. This could amount to a large amount of due diligence work and adjustments to current and upcoming projects impacting time and cost.
It will also impact existing and new contracts between financial entities and ICT providers that will need to be adjusted to insert contractual obligations outlined in DORA. This will involve re-assessment of all relevant live contracts and scrutiny of new engagements, requiring additional support for in-house legal and compliance or specialist third-party support.
Additionally, organisations will need to have closer interaction and time spent assessing their supply chain and implementing measures to ensure risk mitigation. Third-party risk management would also need to align to emerging regulation requirements.
DORA also increases the scope of organisations that now need to critically think about their operational resilience and third-party supply chain. Firms like Crypto-currency asset providers, intermediaries and even cloud-service providers weren’t previously subject to such extensive regulatory requirements.
What should you do about it?
Organisations should follow similar risk-based approaches to DORA as other frameworks and risk mitigation activities and base it on their size, risk profile and nature of business. Smaller and micro-entities may have simplified requirements compared to larger financial entities. Aspects such as advanced digital resilience testing may only be applicable to a small percentage of organisations operating within the EU. Additionally, aspects such as incident reporting, which some organisations would have previously reported through other directives (such as Directive (EU) 2015/2366 of the European Parliament) are now pursuant to this regulation. Therefore, it is imperative to understand what aspects of the DORA framework are relevant to the organisation and what activities need to be conducted. CSA strongly advises conducting a gap analysis and maturity assessment against the framework and existing measures and processes already in place that could align.
Quick Reference Guide Download
Get in touch
Cyber Security Associates, founded in 2006 is a leading security consulting and governance and risk practice. In addition, CSA has a market leading SOC service built around Microsoft’s technology stack. CSA delivers a variety of services to FTSE 100, Fortune 500 companies, including a myriad of financial entities, through to SMEs and public sector and governmental organisations.
We have a trusted team of qualified consultants with experience across various frameworks and risk management practices, including DORA.
For more information on DORA or CSA’s wider security capabilities please get in touch via our website - Contact Us