The EU's Digital Operational Resilience Act (DORA) will officially take effect on January 17th 2025. Failure to achieve DORA compliance by the deadline could result in substantial fines for your organisation, so it is important that you start to get prepared now.
Our latest blog post provides essential insights into DORA, covering its purpose, key components, who it affects, and steps for preparation.
Firstly, why has the DORA framework been created?
With the financial sector increasingly reliant on technology, it has become a prime target for cyber-attacks. DORA aims to address this vulnerability by offering clear guidance and standards to manage and mitigate information, communication and technology (ICT) risks effectively.
What is DORA?
DORA is an EU (European Union) regulation designed to strengthen the financial sector's IT security posture.
As stated in Recital 105, DORA’s objective is “to achieve a high level of digital operational resilience for regulated financial entities”.
DORA has two main objectives: firstly, to comprehensively address ICT risk management within the financial services sector, and secondly, to harmonise existing ICT risk management regulations across EU member states.
What does it cover?
Not all areas covered by DORA are unique. DORA builds upon regulations set out by NIS 2 Directive and ENSIA (the European Union Agency for Cybersecurity).
The focus for DORA is to set a clear standard on how financial institutes will manage their ICT risks. These risks have been broken into five foundational pillars.
ICT Risk Management
DORA mandates the development of strategies and capabilities around governance, threat identification and protection, and ICT change management policy. Financial entities are responsible for setting up a completed ICT Risk Management framework. The requirements include:
- Setup and maintain resilient IT Systems and tools to reduce the impact of IT risks.
- Recognise, label and document assets that are critical.
- Monitor all sources of IT risks and establish adequate countermeasures.
- Install prompt detection of anomalous activities.
- Ensure that comprehensive business continuity policies and recovery plans support all aspects of the organisation and are tested yearly.
- Install procedures to learn and evolve from near-misses reported by external events, as well as your own IT incidents.
Incident Reporting and Information Sharing
DORA introduces a new framework for incident reporting and information sharing. This includes reporting incidents to relevant authorities to improve transparency and response to cyber threats; as well as sharing information on threats and vulnerabilities with other financial entities.
DORA requires that financial entities:
- Build a streamlined process and procedures to log and classify all IT incidents. This process should determine major incidents according to the criteria detailed within the regulation and listed by the European Supervisory Authorities (ESAs i.e. European Banking Authority – EBA , European Securities and Markets Authority - ESMA, European Insurance and Occupational Pension Authority - EIOPA).
- Develop a process that submits an initial, intermediate, and final report on IT related incidents.
- Synchronise the reporting of IT related incidents using standard templates developed by the ESAs.
These requirements also apply to operational or security payment-related incidents where they concern credit institutions, payment institutions, account information service providers, and electronic money institutions.
Digital Operational Resilience Testing
DORA requires all entities to:
- Perform basic IT testing of IT tools and system; these must be completed at least annually.
- Ensure that measures are taken to identify, mitigate and eliminate gaps, weaknesses and exploitable vulnerabilities in digital operations.
- Periodically perform advanced Threat-Led Penetration Testing (TLPT) for IT services which can impact vital assets. IT third-party service providers are also required to participate within testing
ICT Third Party Risk Management
DORA emphasizes the management of third-party risks to ensure consistent provision of services across the entire supply chain.
DORA requires all entities to:
- Monitor risks originating from reliance on IT third-party providers.
- Synchronise/harmonise all key components of service and relationship with the IT third-party providers to achieve a comprehensive monitoring approach.
- Report on a complete register of any subcontracted activities, including intra-group services and any changes to the subcontracting of vital services to third-party providers.
- Ensure that all critical IT third-party providers follow an ESA Oversight Framework. This will provide recommendations on mitigation of identified IT risks. Financial entities must consider third-party risks of service providers who do not subscribe to the defined recommendations.
- Consider the risks developing from sub-outsourcing activities.
- Ensure all contracts with third-party providers contain mandatory clauses specified by the DORA. This should include details such as SLAs, locations where data is processed and monitoring of all necessary assets.
Information Sharing Arrangements
The DORA regulation will allow financial entities to connect amongst themselves to exchange cyber threat information and intelligence. The supervisory authority will provide anonymised intelligence and information regarding cyber threat to financial institutions. It will be for financial entities to review and act on information shared by authorities.
Does it apply to me?
The Digital Operational Resilience Act applies to 21 types of entities.
- Credit Institutions: these are traditional banks and similar financial institutions that offer credit facilities.
- Payment Institutions: this category includes all institutions engaged in payment processing, including those exempted under Directive (EU) 2015/2366 (PSD2).
- Account Information Service Providers: entities that provide consolidated information on one or more payment accounts.
- Electronic Money Institutions: including those exempted under Directive 2009/110/EC (EMD2), these institutions issue and manage electronic money.
- Investment Firms: those involved in securities trading and related services.
- Crypto-Asset Service Providers and Issuers of Asset-Referenced Tokens: entities dealing with cryptocurrencies and related financial products.
- Central Securities Depositories: institutions that hold and administer securities and enable securities transactions to be processed.
- Central Counterparties: entities that facilitate transactions between various entities in the financial markets.
- Trading Venues: this includes stock exchanges and other platforms where financial instruments are traded.
- Trade Repositories: entities that maintain records of derivatives contracts.
- Managers of Alternative Investment Funds: entities managing investments in alternative assets.
- Management Companies: those that manage investment funds.
- Data Reporting Service Providers: entities providing data and reporting services in financial markets.
- Insurance and Reinsurance Undertakings: companies involved in insurance and reinsurance businesses.
- Insurance Intermediaries, Reinsurance Intermediaries, and Ancillary Insurance Intermediaries: agents and brokers in the insurance market.
- Institutions for Occupational Retirement Provision: entities managing occupational pension schemes.
- Credit Rating Agencies: agencies that provide credit ratings for various financial entities.
- Administrators of Critical Benchmarks: entities responsible for setting benchmarks that are critical to financial markets.
- Crowdfunding Service Providers: platforms that facilitate crowdfunding for various purposes.
- Securitisation Repositories: entities dealing with the documentation and reporting of securitisations.
- ICT Third-Party Service Providers: suppliers of information and communication technology services to financial entities.
What should I do now?
Based on our experience, preparing for the initial implementation of new regulations can prove to be a much more time-consuming and resource-intensive than anticipated by many organisations.
The first thing we would recommend that you do is to conduct a gap analysis and create a roadmap to compliance. Talk to Toro about our DORA gap assessment tool and services.
Analyse your current process for risk management, incident management and reporting, resilience testing, third-party management, and threat intelligence to understand where your gaps exist.
- ICT Risk Management: start by conducting a thorough gap analysis of your current ICT risk management and governance practices.
- Incident Reporting: evaluate your incident management and reporting maturity to understand current capabilities and awareness of ICT incident reporting requirements. Assess the ability to detect near-miss incidents and how you report incidents.
- Resilience Testing: assess the skills and capabilities necessary for designing and conducting resilience testing. You may already have operational resilience requirements if regulated in the UK.
- Third-Party Suppliers: understand the criticality of your service providers to core business processes and review third-party/supply chain vulnerabilities to develop a risk containment strategy.
Once you know your gaps, you can identify and implement remediations to meet the DORA requirements. By taking a proactive approach now you will be able to develop a realistic and achievable implementation plan that will keep you on the front foot and ensure your compliance with the regulation.
Toro can support you on your journey to manage all DORA’s regulatory requirements and enable you to achieve your organisation’s resilience objectives.
If you have questions regarding DORA and want to understand how Toro can support, please get in touch.