By: Neeraj Benjamin, Associate Director – Cybersecurity – LTIMindtree

Have you ever considered how prepared your financial firm is against cyber threats? The Digital Operational Resilience Act (DORA), introduced by the European Commission as part of its Digital Finance Package, aims to ensure that financial entities across the EU can withstand, respond to, and recover from cyber incidents.

DORA^I will become mandatory in all EU member states starting January 17, 2025, following a two-year implementation period that began in January 2023. Although the European Parliament has adopted DORA, each country is currently working out the specifics of their legislation to interpret and enforce the directive.

What is DORA?

The Digital Operational Resilience Act (DORA) mandates that financial organizations enhance their digital operational resilience by standardizing their cybersecurity frameworks. This regulation requires companies to protect, detect, contain, recover, and repair their information and communication technology (ICT) systems in the event of disruptions and cyber-attacks. The goal is to minimize business challenges and expedite the resumption of critical operations.

DORA^II builds on previous regulations by requiring financial institutions and associated (third-party) organizations to manage all aspects of operational risks. This includes identifying vulnerabilities, monitoring third-party risks, establishing rules for ICT risk management, incident reporting, and operational resilience testing. The focus is on safeguarding networks and information systems.

The primary advantage of DORA is that it makes the entire financial sector more resilient to threats. Additionally, it facilitates international cooperation, as all members are required to adhere to the same standards.

Applicability

DORA will apply to financial entities and institutions that include:

• Investment firms
• Trading security depositories
• Crypto asset service providers
• Central security depositories
• Trading venues
• Credit, payment and e-money institutions
• Data reporting service providers
• Insurance undertaking firms
• Credit rating agencies

The Act categorizes these entities into three groups, each with different rule applications:

• Basic financial entity: Fully subject to DORA
• Microenterprise financial entity: Eligible for certain exemptions from DORA
• Article 16 financial entity: Includes entities such as MiFID investment firms, occupational pension providers, and e-money institutions, which may receive exemptions under certain conditions

DORA also extends its requirements to critical suppliers to the financial sector, such as IT network infrastructure and IT operations providers.

Key requirements from organizations

To comply with DORA, organizations must establish and maintain several key elements, such as:

• ICT risk management framework: Develop and implement a comprehensive framework to manage ICT risks
• Incident response process: Establish processes to handle and respond to ICT-related incidents
• Regular security testing: Conduct mandatory and frequent security tests to ensure resilience
• Third-party risk assessments: Map out and manage risks associated with suppliers and third-party services
• Mandatory threat intelligence sharing: Share threat intelligence to enhance overall security

Steps to become compliant with the DORA Act

Understand the requirements: Grasp the context, requirements and obligations of DORA for your organization.

Run a risk assessment: Perform a thorough risk assessment of your entire organization with its supply chain to identify cyber threats and vulnerabilities.

Engage with various business functions: Collaborate across various business functions to analyze and gain a comprehensive view of cyber risks and develop a compliance strategy.

Train employees: Provide training on digital operational resilience tailored to employees’ responsibilities.

Build an operational resilience strategy: Create a strategy to respond effectively to cyber threats, data breaches, and operational disruptions.

Evaluate third-party vendors: Assess the importance, complexity, and scale of services provided by vendors and their effect on business resiliency.

Perform regular DORT and pen testing: Conduct regular Digital Operational Resilience Testing (DORT) and penetration tests as part of compliance.

Automate threat detection: Use threat detection tools to manage cyber incidents, anomalies, and attacks.

Regularly review and update resilience strategies: Continuously review DORT results and past attack data to improve operational resilience strategies over time.

Prepare for worst-case scenarios: Prioritize remediation actions and rank solutions based on the likelihood and impact of vulnerabilities.

Secure your data: Ensure risk and compliance with data protection regulations that apply to EU member states (e.g., GDPR).

Provide evidence of compliance: Be prepared to provide evidence of resilience tests to regulators to demonstrate the safety and security of your data.

The DORA ambit

Penalties for non-compliance with DORA can be severe. Regulators, likely the central banks of member states, can impose fines amounting to 1% of the average daily turnover for each day of non-compliance, up to a maximum of six months. This underscores the importance of adhering to the guidelines and maintaining robust operational resilience.

DORA challenges

Implementing DORA presents several challenges. These include:

Resource scarcity: Organizations may struggle with the additional operational burden due to a shortage of security resources

Incident reporting: There might be reluctance to report every incident due to business implications

Third-party risks: Managing and monitoring third-party activities can be complex and resource-intensive

Conclusion

DORA is more than just a regulatory mandate—it’s a comprehensive framework designed to enhance the resilience of the financial sector. By implementing its requirements, organizations can not only comply with EU regulations for banks but also fortify their defenses against the ever-changing landscape of digital threats. Preparing for DORA involves understanding its requirements, conducting thorough risk assessments, and developing robust resilience strategies. As we move closer to the January 2025 deadline, it’s crucial for financial institutions and their partners to stay informed and proactive in their compliance efforts.

DORA represents a significant step forward in the digital operational resilience of the financial sector. By adhering to its guidelines, we can ensure a more secure, resilient, and cooperative financial environment across the EU.

Citations

^I Proposal for a regulation on a framework for financial data access (FIDA): https://finance.ec.europa.eu/document/download/d8c27557-05cd-4d03-9db7-d195baa18cbc_en?filename=finance-events-230905-presentation_en.pdf

^II The Digital Operational Resilience Act (DORA) – Regulation (EU) 2022/2554: https://www.digital-operational-resilience-act.com/