Preparing for Digital Operational Resilience Act (DORA) Compliance

Could just one cyber incident lead to a systemic crisis across Europe’s financial system? 

That’s the concern that’s keeping E.U. regulators up at night — and it’s not such a farfetched idea. Cyberattacks have crippled other industries, including shipping and energy, for weeks or longer at a time in recent years.

In fact, they’re so concerned about it that they’ve recently enacted the Digital Operational Resilience Act (DORA), new legislation designed to force financial institutions and any third-parties that provide digital services to them to harden their information and communications technology (ICT) systems and improve digital operational resiliency. 

DORA’s enactment comes against a backdrop of both the increasing volume and severity of cybersecurity incidents targeting financial institutions and financial organizations’ increasing reliance on digital services and systems. It’s one of many pending or anticipated regulations aimed at the financial sector around the world in recent years.

The regulation lays out requirements around how financial institutions and their vendors will need to prepare for, defend against, and recover from ICT-related incidents. It’s also designed to consolidate a variety of existing regulations and provide a standardized framework for financial ICT risk management across the E.U.

Financial institutions will need to have the necessary processes and infrastructure in place to come into compliance with the new requirements by January 2025. Let’s take a deeper look at the new law, and explore ways financial organizations can best position themselves to become compliant.

What is the Digital Operational Resilience Act (DORA)?

DORA is a new E.U. regulation designed to incentivize financial entities and the critical third parties providing ICT-related services to them to improve operational resilience, consisting of rules and guidelines to help protect, detect, contain, and recover from information ICT-related incidents. 

Who does DORA apply to and how will it impact your organization?

DORA is designed specifically for financial institutions, including banks, credit institutions, insurers, investment firms, crypto firms, data providers, and payments processing organizations, but it will also apply to any third parties who provide technology services to those organizations. 

That dynamic extends the impact of the new rules well beyond the financial services sector. While financial institutions will shoulder a heavier responsibility for ensuring the security of their third-party relationships, their vendors will need to tighten up their own third-party risk management to account for the fourth-party risks they pose to the financial institutions they contract with, too.

Some third-party service providers will meet certain thresholds set under the regulation and be regulated directly by the financial regulators, while others will remain below those thresholds and will not be directly supervised.

What are the DORA requirements?

DORA’s requirements cover five distinct areas of ICT risk management: 

ICT risk management framework

Under DORA, financial institutions will be required to have a documented ICT risk management framework in place that allows it to identify, assess, and address ICT risk and ensure high levels of digital operational resilience. These requirements will require continuous monitoring of ICT risk, business continuity plans to be put in place, and processes for analyzing and learning from incidents when they do occur to improve digital resilience.

The regulation also designates the organization’s managing body as being ultimately responsible for managing ICT risk and sufficiently educating itself on the topic and appropriately maturing their GRC programs.

Incident management and reporting

Financial institutions will need to establish processes for monitoring, logging, and classifying ICT-related incidents so that they can be reported to the appropriate authorities in a timely fashion.

Digital operational resilience testing

Entities covered under DORA must have a process for testing their ICT risk management framework for effectiveness on a regular basis. This includes vulnerability testing and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing, and penetration testing. Critical systems must be assessed annually, and threat-led penetration testing must be conducted every three years. 

Any problems uncovered by this testing must be addressed or mitigated.

Third-party risk management

Covered entities will be required to structure their contracts with third parties to ensure that proper due diligence and ongoing assessment of any third-party relationships can be performed. They’ll also need specific processes for identifying and continuously evaluating critical third-party service providers.

Organizations will also be required to keep a register of all of their third-party relationships.

Information sharing

The regulations promote information and intelligence sharing between trusted financial institutions to improve digital resiliency, and to develop processes for doing so that ensure any shared information remains secure.

What are the consequences of non-compliance with DORA?

Compliance with DORA is not optional. Failing to adhere to the regulation’s requirements carry stiff penalties for both financial institutions and third parties.

Financial institutions will be subject to:

• Administrative penalties and remedial measures related to the breach of the regulation, including the orders to cease the conduct that is in breach of the regulation.
• Criminal penalties, if laws are being broken.
• Public notices indicating the entity and nature of the breach, and the penalty associated.

While ICT third parties will be could face:

• Periodic penalty payments for non-compliance. These penalties would be imposed on a daily basis by the Lead Overseer and could equate to up to 1% of the ICT organization’s worldwide turnover from the preceding business year.

What are the costs of DORA compliance to organizations?

For organizations that do not already meet the requirements of DORA, coming into compliance will carry costs associated with building out the necessary infrastructure and processes to do so.

DORA regulators will also be able to conduct audits of covered organizations under the regulation. Organizations will need to have the processes and technology in place to accommodate these audits. Modern GRC technology can help streamline this process and save resources by connecting an organization’s systems to automate evidence collection and report generation.

How could third-party relationships be affected by DORA?

The biggest splash that DORA has made on the European financial sector is the fact that it’s the first financial regulation to put such a focus on ICT third-party risk. This means that there will be a significantly higher level of scrutiny placed on third-party service providers by European Supervisory Authorities. 

Critical ICT service providers based outside of Europe that work with E.U.-based financial organizations will also be required to establish a subsidiary inside the E.U. to ensure oversight can be properly conducted. 

Oversight will be conducted by the Lead Overseer, a governing body comprised of the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority. The Lead Overseer is tasked with “assessing whether each critical ICT third-party service provider has in place comprehensive, sound, and effective rules, procedures, mechanisms and arrangements to manage the ICT risk which it may pose to financial entities.” That oversight would include audits and inspections, access to documentation, and levying fines and penalties.

How can organizations prepare for DORA compliance?

DORA doesn’t go into full effect until 2025, and we expect to see more defined requirements come out between now and then, but that doesn’t mean you should wait to start taking the actions necessary for setting your organization up to be in compliance now. And beyond compliance, falling into step with DORA carries multiple benefits for your organization, including:

• Better mitigation of cybersecurity threats and related risks
• Being able to recover from ICT-related disruptions faster and more effectively 
• Avoiding non-compliance fines and penalties altogether.

Complying with DORA spans multiple risk management functions:

Cyber risk and controls compliance management

Because of its focus on ICT and ICT third-party risk, DORA is a cybersecurity and information technology regulation at its core. This means organizations should take stock of their cyber risk landscape now and begin working to bolster their cybersecurity defenses to prevent or respond to ICT incidents. 

If you haven’t already, it’s a good idea to implement a proven cybersecurity framework, like ISO 27001, and begin putting into place the processes and technology you’ll need to streamline your DORA audits.

Third-party risk management

Reducing ICT risk and hardening financial institutions against a systemic shock is the ultimate goal of DORA, and the galaxy of third-party ICT service providers that financial organizations work with are the primary focus. That means now is a good time to improve your processes for vetting and onboarding third parties and vendors, taking the expected requirements that DORA will impose on contracting and ongoing monitoring into consideration. Automating these processes using modern risk management technology is also a good idea, so that you’ll be able to produce evidence and audit documentation quickly when it’s time to prove DORA compliance.

Incident management

DORA is going to increase the burden on organizations to report ICT-related incidents in a timely fashion, and such incidents are increasing exponentially. The net effect is that organizations will likely find themselves producing more reports more often. Considering that dynamic, it’s a good idea to start building an automated process for generating reports, so that the new requirements don’t become a drain on your cybersecurity and compliance teams.

Operational resiliency and business continuity planning

DORA regulators have made it clear that they expect organizations to have firm business continuity plans in place and a regular cadence for testing operational resilience. Start developing these plans now, if you haven’t done so already, and start looking for ways to automate your testing where possible.

DORA also requires organizations to have processes for becoming educated on ICT third-party risk and analyzing and learning from ICT-related incidents. Start having conversations about the potential impact ICT third-party risk could have on your organization now, so that they understand the importance of managing and are more likely to support your DORA compliance efforts. Cyber risk quantification is a powerful tool for tying ICT third-party risk to potential financial impact and helping you communicate it in a common, relatable language.

Managing and maintaining DORA compliance with modern GRC technology

While complying with DORA is certainly possible using traditional, manual risk, compliance, and audit management methods, modern GRC platforms like LogicGate Risk Cloud can help you centralize your DORA-relevant risk data, automate your compliance processes, and streamline your audits, saving you time, resources, and headaches.

Risk Cloud includes solutions for every aspect of DORA compliance, including:

Cyber Risk and Controls Compliance: Prevent ICT incidents by leveraging common, proven cybersecurity frameworks to ensure your cyber risk management and digital operational resiliency programs satisfy all of the requirements for DORA compliance. Simplify DORA compliance audits with cyber risk quantification, automated evidence collection, and other cyber risk management capabilities.

Third-Party Risk Management: Streamline your third-party risk management assessment program with automated, customizable questionnaires and easily analyze the potential impact of each vendor relationship on your overall digital operational resilience.

Incident Management: Establish automated procedures to identify, track, log and categorize, and classify ICT-related incidents according to their priority and severity. Streamline reporting, communication, and response when ICT incidents occur, then easily conduct post-incident reviews to analyze the cause and identify improvements.

Operational Resiliency: Put comprehensive ICT business continuity policies into place to ensure the continuity of your most critical functions. Respond to and resolve all ICT-related incidents in a way that limits damage, prioritizes the resumption of activities, and keeps everyone informed of progress.

Explore LogicGate Risk Cloud with a custom demo. Schedule here.