Blog 1 van 9
Organizations in the financial sector rely heavily on IT technology and supporting IT-companies to provide their services. This makes the sector vulnerable to system failure due to technological problems but also a desirable target for cyber-attacks. The question here is not whether you as an organization will be hit, but when. In addition to the attention this has at the organizational and national level, the EU has introduced the Digital Operational Resilience Act (DORA). This is the European regulation with the goal that financial organizations will better manage their IT risks and thus also become more resilient to cyber threats. DORA has been in effect since January 2023 and gives financial institutions until Jan. 17, 2025, to comply with all requirements.
What is DORA?
DORA is designed to make financial organizations more resilient to IT risks and cyber threats. Under this regulation, financial institutions must implement a comprehensive cybersecurity program. This program includes policies, procedures and risk management activities that are audited annually by an external regulator.
Scope of DORA
DORA applies not only to all organizations in the financial sector but also to the crucial IT service providers that serve these organizations. IT service providers are thus also directly subject to supervision by the European Supervisory Authorities. Supervisors may impose fines for non-compliance with the DORA obligations. The technical regulatory standards are currently being further developed and published by the European Supervisory Authorities.
The Five Pillars of DORA
In DORA, the requirements are divided into 5 “pillars”.
- ICT Risk Management
This section describes obligations at the organizational and process level. This includes matters such as a documented ICT risk management framework including responsibilities, but also a risk management process that identifies cyber risks and can test the measures. Obviously, an up-to-date insight into the existing landscape is an important prerequisite. Important points of attention are the mapping of IT partner services and associated risk analysis and periodic, at least annual, checks on the security status of legacy systems.
- ICT Incident Reporting
This section describes the mandatory reporting of cyber incidents and the measures to be taken regarding detecting anomalies in network traffic, especially regarding cyber-attacks.
- Digital Operational Resilience Testing
Within this topic are issues like having an IT continuity plan (including the services of external service providers) and the corresponding testing obligation. This obligation concerns the risk-based approach to security testing by professional and preferably accredited penetration testers and, on the other hand, the necessary procedures regarding incident response, disaster recovery and backup. In addition, organizations must use up-to-date systems to withstand crisis situations and ensure process continuity.
- ICT Third Party Risk Management.
This pillar describes the obligations to include relevant critical IT service providers (including cloud service providers) in the risk management obligations. Agreements should be made with these service providers regarding cybersecurity assessments.
- Information and Intelligence Sharing
This section includes issues like the framework for sharing cyber threat information and everything that can be included (techniques, indicators of compromise (IoC), security tooling).
Practical Implementation of DORA
Many organizations have already partially met the requirements of DORA through existing internal and external security and continuity guidelines. DORA will be a tightening and these requirements are in addition to already existing efforts. In practice, issues such as continuity in the chain, when using a hybrid IT environment, are often more difficult to capture. The necessary attention will have to be focused on that from continuity based on the possibilities of process disaster recovery but also from data security when it comes to data backup. However, things are changing in terms of reporting and control over external service providers.
Checklists and Roadmaps
Several checklists are available to determine whether an organization meets the DORA requirements and where things need to be completed or modified, resulting in an action list or roadmap. Be alert to the use of these, as there are still updates to the required implementation as described above that may impact the outcome.
Conclusion
The primary purpose of DORA is to identify risks within your organization and implement mitigating or additional measures and solutions for them. These measures are not universal but depend on your specific situation and risk analysis.
Make sure your organization is prepared for the new requirements of DORA and take advantage of the frameworks provided to effectively manage your IT risks. BPSOLUTIONS can help you with the IT infra and security aspects that require a proper DORA implementation. If you would like to know more about this, please contact Louis Joosse or subscribe to our DORA newsletter here.
