DORA

The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, is a groundbreaking European Union regulation that establishes a unified framework for the digital operational resilience of financial entities. Its primary objective is to ensure that financial institutions can withstand, respond to, and recover from ICT-related incidents and threats effectively. Before DORA, the focus was primarily on financial capital to cover losses; DORA shifts this to ensuring the operational ability of systems to function securely amidst disruptions. This includes stringent requirements for ICT risk management, incident reporting, digital operational resilience testing, and ICT third-party risk management.

‍

DORA's scope is broad, encompassing nearly all entities within the EU financial sector and their critical ICT third-party service providers. This means various areas of your organization will be directly impacted and must align with DORA's requirements:

• Financial Entities: This includes a wide array of institutions such as banks, credit institutions, investment firms, insurance and reinsurance companies, payment service providers (PSPs), electronic money institutions, crypto-asset service providers (CASPs), central securities depositories, trading venues, and more.
• ICT Risk Management Teams: Responsible for identifying, assessing, managing, protecting, detecting, responding to, and recovering from ICT risks. Incident Response Teams: Mandated to establish robust processes for detecting, managing, classifying, and reporting major ICT-related incidents.
• Operational Resilience & Business Continuity: Teams responsible for developing and testing digital operational resilience strategies, including threat-led penetration testing (TLPT).
• Procurement & Third-Party Risk Management: Critical for assessing, monitoring, and managing risks associated with all ICT third-party service providers, including cloud providers and software vendors.
• Governance & Senior Management: The management body of financial entities is ultimately accountable for ensuring effective ICT risk management strategies and policies.
• Legal & Compliance Departments: Responsible for interpreting DORA's requirements and ensuring adherence across the organization.

Essentially, any function involved in the lifecycle, security, and continuity of information and communication technologies that support financial services will fall under DORA's stringent oversight.

‍

DORA compliance is structured around five core pillars, each with specific requirements that form the "rules" for financial entities:

‍

ICT Risk Management: Establish and maintain a comprehensive framework to identify, assess, manage, and monitor all ICT risks. This includes developing robust protection and prevention measures, detection capabilities, and response and recovery strategies. Regular reviews and updates are mandatory.

‍

ICT-Related Incident Management, Classification, and Reporting: Implement processes to detect, manage, and classify ICT-related incidents. Major incidents must be reported to competent authorities using standardized templates within strict timelines.

‍

Digital Operational Resilience Testing: Conduct regular and comprehensive testing of ICT systems and tools, including vulnerability assessments, penetration testing, and advanced threat-led penetration testing (TLPT) for critical functions.

Managing of ICT Third-Party Risk: Establish a robust framework for managing risks posed by third-party ICT service providers. This involves thorough due diligence, clear contractual provisions (including DORA-specific clauses), continuous monitoring, and strategies for managing concentration risk.

‍

Information Sharing Arrangements: Encourage and facilitate the voluntary sharing of cyber threat information and intelligence with other financial entities to enhance collective resilience.

‍

Adhering to these pillars ensures a high common level of digital operational resilience across the EU financial sector.

‍

It's important to note that DORA is a regulation, not a certification standard like ISO 27001. Therefore, organizations don't "certify" with DORA in the same way they would an ISO standard. Instead, compliance is legally mandated for in-scope financial entities.

However, organizations can take structured steps to demonstrate and achieve DORA compliance:

• Conduct a DORA Gap Analysis: Assess your current ICT risk management framework, incident response, resilience testing, and third-party management practices against DORA's requirements to identify gaps.
• Develop a Remediation Roadmap: Create a detailed plan to address identified gaps, prioritizing high-risk areas and assigning responsibilities.
• Implement Necessary Controls: Put in place the required ICT risk management frameworks, incident management processes, operational resilience testing programs, and third-party risk management protocols. This includes establishing governance structures, policies, and procedures.
• Documentation & Evidence Collection: Maintain meticulous records of all compliance activities, including risk assessments, test results, incident reports, and contractual agreements with third parties.
• Regular Testing & Monitoring: Continuously monitor your ICT systems and conduct regular resilience tests (including TLPT where applicable) to ensure ongoing effectiveness.
• Employee Training & Awareness: Ensure all relevant personnel are trained on DORA requirements and their roles in maintaining digital operational resilience.
• Engage with Regulators: Be prepared for potential regulatory oversight, audits, and requests for information from national competent authorities. While there's no "DORA certificate," demonstrating adherence to these steps is crucial for meeting your legal obligations.

‍

DORA is a key regulation for digital operational resilience in the EU financial sector, with global counterparts like the NIS2 Directive, ISO 27001, and the NIST Cybersecurity Framework. While NIS2 covers broader sectors, DORA's specific rules for financial entities take precedence. ISO 27001 offers a general security framework, but DORA requires additional measures for operational resilience and third-party oversight. The NIST framework shares DORA's cybersecurity goals but lacks binding authority. In the US, the NYDFS regulation aligns with DORA's focus on risk and vendor management. Post-Brexit, the UK has its own resilience regulations, similar in intent but distinct from DORA's EU-specific mandates.

‍