Around the world, and particularly over the past few years, regulators have been looking for ways to strengthen the resilience of the financial sector.
In the European Union, regulators within the European Commission (EC) have taken a concrete step to meet this objective through the Digital Operational Resilience Act (DORA). The EC published a draft version of DORA in September 2020.
It’s important for eligible firms to understand more about DORA, so they can start planning and implementing any necessary controls to assure compliance, once DORA does go into effect in 2023.
What Is the Digital Operational Resilience Act?
Several European Union institutions have already developed risk management requirements for the Information and Communications Technology (ICT) sector. DORA builds on those existing requirements and strengthens them for EU-wide application.
This legislative proposal will require banks and other financial services firms, as well as the critical ICT service providers they work with, to strengthen their third-party risk management programs. These programs should include specific cybersecurity requirements to help financial institutions prevent or mitigate ICT-related cyber threats and attacks.
DORA regulations apply to ICT risk management broadly. That means they will also apply to “critical ICT third-party providers” (CTTPs) and ICT “third-party providers” (TPPs) such as cloud service providers (CSPs). All will fall into the regulatory perimeter of the law.
DORA will unify various recent EU initiatives into one comprehensive and common regulation or set of rules. It will also help EU financial regulators and supervisors to assure that financial firms remain operationally resilient.
Here, “operational resilience” refers to the ability of firms to continue to guarantee service continuity and quality even through operational disruptions in ICT. These disruptions may be related to malicious cyber-attacks, technology failures, or even non-malicious events.
In cases of non-compliant financial institutions, regulators could impose financial penalties of up to 1 percent of average daily global turnover from the preceding year. Furthermore, DORA will also give European Supervisory Authorities (ESAs) the power to request information, conduct inspections (off-site and on-site), and issue relevant recommendations.
Key Pillars of the Digital Operational Resilience Act
Across the 27 EU member states, financial supervisors address ICT risk in ways that can be inconsistent with the rest of the bloc. This has led to the proliferation of fragmented national regulatory initiatives around operational risk management, digital operational resilience testing, and ICT incident classification and reporting.
DORA aims to harmonize those local rules and create a single framework to enforce a common operational resilience standard across the EU’s financial system.
Five key pillars will reinforce this framework:
ICT Risk Management
Financial firms depend heavily upon ICT for service delivery and operational continuity. But this makes them particularly vulnerable to cyber-attacks.
Such attacks could harm the entire financial services industry and even national or international economies; hence digital operational resilience is critical in the financial services sector. DORA aims to help financial entities build that resilience.
Financial entities must create, maintain, and document a robust ICT risk management framework to comply with DORA. This oversight framework must include:
- A comprehensive business continuity policy
- Disaster recovery plans
- A communications policy
Firms must also assure that their ICT systems satisfy the requirements laid out in DORA, so they can detect and identify anomalous activities, identify ICT vulnerabilities and risks, implement robust security controls, and activate the correct response and recovery measures following a cyber-attack.
ICT Incident Reporting
One of the primary aims of DORA is to streamline the reporting of ICT-related incidents and harmonize it throughout the EU’s financial sector.
It will impose a mandate for financial entities to implement early-warning indicators of a possible cyber threat and establish as well as a systematic process to manage ICT-related incidents. They will also have to classify such incidents and report all significant incidents to a central EU hub.
Digital Operational Resilience Testing
Regular digital operational resilience testing will be mandatory under DORA. Financial entities should engage independent internal or external parties to conduct this testing. The testing program should enable the organization to prioritize, classify and remedy cyber defects.
The program should include a range of assessments and tests, tools, methodologies, practices, procedures, and policies to achieve this goal.
Information and Intelligence Sharing
DORA will allow financial entities, TPPs, and CTTPs to exchange information and intelligence with each other about:
- Cyber threats
- Threat detection methods
- Security alerts
- Threat actor tactics and procedures
An EU initiative has already been proposed to improve cyber information sharing and cooperation among EU institutions. This initiative to establish a Joint Cyber Unit (JCU) will be fully in place by June 2023 and fits with DORA’s information sharing pillar.
ICT Third-party Risk Management
Third-party service providers and outsourcing firms present several systemic risks to the financial sector. DORA rules will enable financial entities to better manage their third-party risks and relationships. It will also prescribe specific requirements for:
- Contracts between financial entities and ICT third-party service providers
- Circumstances under which these contracts must be terminated
- Locations where financial data is processed
- Service level descriptions
- ICT reporting obligations
- Rights of access
How Will DORA Apply to Businesses?
Once it goes into effect, DORA will apply to all large and small financial entities regulated at the EU level. Specifically, DORA will focus on 20 types of regulated EU financial entities, including:
- Banks
- Electronic money and payment institutions
- Credit institutions
- Investment firms
- Crypto-asset service providers
- Alternative investment funds managers
- Insurance undertakings and intermediaries
- Securities, trade, and securitization repositories
- Credit rating agencies
- Audit firms
DORA rules will also apply to central counterparties, trading venues, crowdfunding service providers, and retirement pensions, among others.
That said, DORA is not limited to financial entities. ICT service providers will also be included within DORA’s guidelines. These ICT providers include:
- CSPs
- Software development firms
- Data analytics firms
- Data Center providers
In addition to implementing robust strategies for cyber risk management, third-party risk management, and supply chain resilience, ICT providers will also have to assure that they have robust governance and risk frameworks in place to protect their assets and data.
Since DORA is expected to go into effect in 2023, as of September 2021, eligible firms have 12 to 18 months to comply with its requirements. These requirements will be announced in the first phase of the rollout. Firms will have a little more time to comply with DORA’s secondary legislation and technical standards.
Nonetheless, if your organization falls under DORA’s ambit, you should start taking action to address its requirements sooner rather than later.
Keep Your Organization Compliant with DORA
DORA is not a “tick-box exercise.” Instead, it requires a systematic, step-by-step approach to perform a cyber risk assessment and achieve operational resilience.
Reciprocity and ZenGRC can help you streamline and ease your journey by helping you find compliance efficiencies.
ZenGRC enables security teams to identify, assess, and mitigate risk in their digital ecosystem, and to prioritize resources to remediate the most critical issues.
Get access to powerful insights to meet the requirements of DORA and other regulations, continuously monitor your attack surface, and establish a sound governance program to minimize third-party risk.
Please contact us for more information about how Reciprocity and ZenGRC can help your organization achieve DORA compliance with minimal friction; or sign up for a free demo to see ZenGRC in action.