As the digital and cyber threat landscape evolves, the European Union (EU) is taking significant strides to strengthen the security and resilience of businesses operating within its borders. The Digital Operational Resilience Act (DORA) is a pioneering regulation to ensure the digital infrastructure of critical sectors remains robust and resilient in the face of escalating cyber threats. All financial services providers are now under pressure to comply with the regulation by the 17th January 2025.
What does resilience mean in simple terms? Cyber resilience is the ability of an organisation to protect itself from, detect, respond to, and recover from cyber-attacks. That’s plural and the reality is every day an organisation will face cyber threats. By being resilient and being able to withstand the high potential of multiple attacks, organisations can reduce the impact of an attack and ensure that they can continue to operate effectively.
In this article, we will explore the key facets of DORA, shed light on the organisations it impacts, and outline the cybersecurity regulations and controls that necessitate attention.
What is DORA?
The Digital Operational Resilience Act, proposed by the European Commission, is a regulatory framework designed to bolster the operational resilience of the financial sector. Compliance with the regulation will be mandatory from 17th January 2025.
The DORA regulation means that financial services (FS) organisations must fully understand how their operational resilience, third-party risk management, cybersecurity and ICT practices impact their critical functions. This may mean that they need to develop new operational resilience capabilities that must be tested and proven to work before January 2025.
Organisations affected by DORA
The DORA Regulation applies to the EU’s financial sector and suppliers of ICT services to that sector – wherever those suppliers are based. DORA mandates stringent cybersecurity standards for financial institutions to protect sensitive customer data, defend against fraud, and prevent system outages that could disrupt critical banking operations and transactions.
Financial entities covered by DORA include:
- Credit institutions.
- Payment institutions.
- Account information service providers.
- Electronic money institutions.
- Investment firms.
- Crypto-asset service providers and issuers of asset-referenced tokens.
- Central securities depositories.
- Central counterparties.
- Trading venues.
- Trade repositories.
- Managers of alternative investment funds.
- Management companies.
- Data reporting service providers.
- Insurance and reinsurance undertakings.
- Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries.
- Institutions for occupational retirement provision.
- Credit rating agencies.
- Administrators of critical benchmarks.
- Crowdfunding service providers.
- Securitisation repositories.
Although DORA will apply in Europe, it will be relevant for many global entities, either because they are financial firms who (directly, or indirectly through their group) offer their services in the EU, or because they are ICT service providers who offer services in the EU.
Cybersecurity regulations and controls under DORA - How to stay compliant
To achieve compliance with DORA, organisations falling within its scope must address specific cybersecurity regulations and controls. Here are some crucial elements to be considered:
1. Risk Management
Implement comprehensive risk management frameworks to identify, assess, and mitigate cyber risks. Regular risk assessments help businesses stay proactive in addressing potential threats.
2. Incident Reporting
DORA mandates the reporting of significant cyber incidents promptly. Businesses must have robust incident response plans and detection capabilities to ensure quick identification, containment, and recovery from cyber threats. In today's modern world of very complex cloud and hybrid environments, maintaining monitoring visibility 24/7 and the ability to respond to threats at all hours is a challenge for organisations. This sophistication requires a dedicated security operations centre (SOC) that combines 24/7 coverage, is supported by sophisticated technologies, and is staffed by cybersecurity experts.
3. Digital Operations Resilience Testing
Conduct regular security testing, audits, and assessments. This could include the use of both a technology and human testing strategy of attack surface management and continuous assurance technology capabilities combined with penetration testing, red team and purple team testing to evaluate the effectiveness of cybersecurity measures, detection and response capabilities. Identifying vulnerabilities and weaknesses across technology, people, and processes will enable organisations to strengthen their security posture continuously against an ever-evolving threat landscape.
4. Third-Party Risk Management
Evaluating and managing the cybersecurity risks associated with third-party suppliers and service providers, and ensuring that partners adhere to high cyber defensive and resilience standards is crucial for overall sector-wide security. There continues to be a prolific rise in supply chain attacks as these provide the crown jewels to cause maximum impact and disruption. Combining the use of sophisticated third-party management vulnerability assessment tools with a governance structure and human-led analysis can provide a robust strength against third-party risks.
5. Information Sharing and Cooperation
Foster collaboration among organisations within the sector and relevant authorities. An organisation should understand the specific day-to-day threat landscape relevant to both their organisation as a target and the financial industry specifically. Threat Intelligence is vital in providing this capability. The sharing of threat intelligence between organisations and coordinating responses are vital for an effective collective defence against cyber threats.
DORA compliance and the future
DORA represents a paradigm shift in how the EU addresses the evolving landscape of cyber threats. Organisations in the financial sector must recognise the importance of aligning their cybersecurity practices with DORA's requirements. By doing so, they not only ensure compliance with the regulation but also contribute to the overall resilience and security of the EU's digital infrastructure. As we navigate the complexities of the digital age, embracing DORA is an imperative step towards a more secure and interconnected future.
Organisations need to prepare for increased and intrusive regulatory engagement - DORA will give both national and EU-level supervisors extensive new mandates and powers concerning digital operational resilience.
Instead of viewing DORA as merely a compliance task organisations need to anticipate regulators/authorities developing supervisory frameworks that utilise these new powers to encourage regulated organisations to enhance their operational resilience capabilities.
How to comply with DORA
For organisations seeking expert assistance in achieving DORA compliance speak to us today, LRQA offers a tailored approach and is uniquely placed to offer an end-to-end service to ensure your compliance. Our comprehensive services include:
Advisory and compliance consulting
- Provision of consultancy-led expert guidance on aligning cybersecurity practices with DORA requirements.
- Creation, development and implementation of policies and procedures for compliance.
Offensive testing
- Penetration testing to identify vulnerabilities in financial systems and applications. Providing detailed reports with actionable recommendations for remediation.
- We go beyond point-in-time testing with attack surface management and continuous assurance capabilities.
- Sophisticated and threat-led adversarial testing utilising red and purple team capabilities.
Managed detection and response (MDR)
- Provision of 24/7 monitoring and response services using leading industry technology capabilities to swiftly identify and mitigate cyber threats while leveraging advanced threat intelligence to enhance detection capabilities.
Incident response
- We deliver an expert service as an assured NCSC Level 2 Cyber Incident Response provider. Providing cyber incident response services designed to aid an organisation's preparedness in the event of a serious cyber incident and response capability.
Download our guide to learn more about DORA.