DORA: One year to go until full compliance with the new regulatory framework

news

In one year, on January 17, 2025 the Digital Operational Resilience Act (DORA) will enter into force. By then financial entities must implement all requirements stemming from the Regulation

finger pointing

What is the Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act (DORA) is a EU regulation that aims to strengthen the IT security of financial entities, making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.

Financial institutions in the sense of DORA are credit institutions, payment institutions, electronic money institutions, account information service providers, credit rating agencies, investment firms, central securities depositories, crypto-asset service providers, insurance and reinsurance companies, trade repositories and securitisation repositories, trading venues and data reporting service providers as well as ICT third-party service providers and others (Art. 2(1) DORA).

 

What is the goal of DORA?

The overall goal of DORA is to achieve a high level of digital operational resilience. 5 pillars are supporting the achievement of this goal:

  1. ICT Risk Management Framework (Chapter II)
  2. ICT-related incident management, classification and reporting (Chapter III)
  3. Digital operational resilience testing (Chapter IV)
  4. Managing of ICT third-party risk (Chapter V)
  5. Information-sharing arrangements (Chapter VI)

What is the scope of DORA?

The bases are laid down in the ICT risk management framework (Chapter II). The framework must encompass strategies, policies, procedures, ICT protocols, and tools essential for the proper protection of information assets and ICT assets. This includes safeguarding computer software, hardware, servers, as well as ensuring the protection of pertinent physical components and infrastructures, such as premises, data centers, and sensitive designated areas. The primary objective is to ensure comprehensive protection against risks, including damage and unauthorized access or usage, for all information assets and ICT assets.

The ICT risk management framework must also encompass mechanisms for detection, response, and recovery, interlinked with the second pillar – ICT-related incident management (Chapter III). This section focuses on evaluating current measures for recognizing, categorizing, and reporting IT-related incidents to assess the need for modifications to existing procedures and potential investments in additional tools.

As part of the ICT risk management framework also the digital operational resilience testing programme (Chapter IV) must be integrated. The aim is to assess readiness to deal with ICT-related incidents, to identify weaknesses, deficiencies and gaps in digital operational resilience, and to take prompt corrective action. This program involves conducting various tests, including vulnerability assessments, scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires, scanning software solutions, source code reviews when feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing, and penetration testing.

Moreover, certain financial entities are obligated to undergo advanced testing of their ICT tools, systems, and processes through Threat-Led Penetration Testing (TLPT). Entities subject to this requirement will be identified by the competent authorities.

Finally, within the ICT risk management framework, the policy for managing third-party ICT risk (Chapter V) must be incorporated. This involves evaluating the services offered by ICT third-party service providers to ascertain whether additional regulatory and control measures are necessary concerning the current third-party IT providers.

Several standards, aiming to provide more detailed insights into the requirements of DORA, are still in the negotiation phase – the regulatory technical standards (RTS) and the implementing technical standards (ITS). The challenge is to prepare for full compliance with the Regulation while awaiting further clarification on many crucial issues.

Despite the seemingly long timeframe of one year, it is prudent to start preparations now. Although the RTS and ITS are yet to be adopted, proactive preparation is essential. Once these standards are officially approved, adjustments can be made to existing policies to align them with the newly specified requirements.

DORA places responsibility on the management of financial institutions, requiring them to play a central and active role in guiding and adapting the ICT risk management framework and overall digital operational resilience strategy.

Contact us for your compliance with DORA

SEC Consult is ready to assist you in your journey towards compliance.

About the author

Anna-Maria Praks
Anna-Maria Praks
SEC Consult
R&D Lead Vulnerability Lab

Anna-Maria is a professional with over 25 years’ experience in the security industry. Her areas of expertise include cyber security, defence and security policy, international relations and government affairs. Anna-Maria has worked in politics, academia and the private sector throughout her career. Since 2015, she has been working as a research and development manager at SEC Consult.