Navigating the EU's Upcoming Digital Operational Resilience Act (DORA)
The European Union’s Digital Operational Resilience Act (DORA) is set to go into effect on January 17, 2025, and with it will come new information security and risk management requirements placed on EU financial service providers and their associated critical third-party technology entities.
First introduced by the European Commission (EC) in September 2021 and then later formally adopted by the Council of the European Union (EU) and the European Parliament in November 2022, DORA will require financial services organizations to meet risk management, incident reporting, digital operational resiliency testing, information and communications technologies (ICT) third-party risk and information and intelligence sharing standards.
Background and Context
Following 2020 report released by the European Systemic Risk Board (ESRB), as well as calls from the European Securities and Markets Authority (ESMA) and European Supervisory Authorities (ESAs), it was found that given the high level of interconnectedness across the financial and ICT industries (FinTech), there needed to be a systematic, unified, and cohesive approach to managing ongoing risks to the financial sector within the EU.
In response to these issues, the EC proposed DORA. DORA, therefore, attempts to not only address the aforementioned flaws in the FinTech industries but to also to increase the overarching digital resilience of these industries by introducing a modernized approach to ICT risk management (both in-house and in reference to third parties), testing as well as incident awareness and reporting.
How Trustwave Can Do to Help Your Organization Be DORA Ready
Before we dive into DORA’s requirements, it’s important to know Trustwave has extensive experience delivering various DORA-related requirements. Trustwave is well-positioned to assist organizations in any phase of your transition to DORA. This includes and is not limited to initial DORA gap assessments, right through to more niche activities such as threat-led penetration testing. Get in touch with the EMEA Cyber Advisory Team today to find out how we can help you in your journey to become DORA compliant.
Does DORA Apply to Your Organization?
To first understand whether your organization will be affected by DORA, it is necessary to first analyze whether it falls under the remit of DORA.
Broadly, DORA will encompass all financial entities in the EU, as well as third-party technology service providers who supply a financial entity with ICT offerings or services.
Financial Entities
To drill down even further within the context of DORA, a financial entity is therefore considered to be any of the following This list is not exhaustive and does not include certain exemptions and inclusions; for further details, contact the relevant regulatory body.
- Credit institutions
- Payment institutions
- Investment firms
- Crypto-asset-service providers
- Central securities depositories
- Central counterparties
- Trading venues and data reporting service providers
- Trade repositories
- Mangers of alternative investment funds
- Management companies
- Insurance and reinsurance intermediaries
- Insurance intermediaries
- Institutions for occupational retirement provisions
- Credit rating agencies
- Administrators of critical benchmarks
- Crowdfunding service providers
- Securitization repositories
Moreover, if you are an organization that is a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and annual balance sheet total that does not exceed EUR 2 million, you would be considered a micro-enterprise under DORA. This means you do not have to meet the same rigorous requirements of larger organizations.
Critical Third-Party ICT Service Providers
Dissimilarly, DORA purposefully describes critical third-party technology service providers in a more holistic light in line with their ICT services. As such, DORA defines these service providers as those “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware-as-a-service and hardware services, which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.”
UK-Based Financial Entities and ICT Service Providers
Whilst DORA does not apply directly to UK-based institutions due to Brexit, it is likely, due to the extensive financial linkages and cross-jurisdictional entities shared by the EU and UK many UK institutions and ICT services providers will likely be affected by DORA.
Although DORA does not greatly depart from current UK regulatory requirements, such as the incoming PS21/3 (Building operational resilience) imposed by the Financial Conduct Authority (FCA), it does expand on and include more nuanced requirements. Such requirements broadly appear to surround:
- The need to share and collaborate with respect threat intelligence.
- Establishing a systematic approach to third-party risk management.
- Ensuring ongoing operational resilience testing, through activities such as threat-led penetration testing.
Additionally, unlike other financial regulations, DORA has an extensive scope that applies to non-traditional financial institutions such as crypto-asset and crowdfunding service providers, as well as critical ICT service providers. These services, which ordinarily and previously have not been subject to extensive regulation, may have to meet additional actions if deemed to fall within the scope of DORA.
In light of these differences, institutions and service providers that fall within the scope of DORA should map their current approach to information security against those mandated within DORA. This process of mapping, often referred to as a gap or dependency analysis, will enable institutions and service providers to identify shortcomings in their current approach, thus enabling remediation by implementing the appropriate DORA-aligned action item or activity.
DORA’s Key Requirements
Now that we have established whether or not DORA applies to your organization, it is critical to understand the key requirements of DORA and how these may impact your organization’s current approach to cyber and information security.
DORA has five key pillars which make understanding these requirements straightforward These are:
- Risk management
- Incident reporting
- Digital operational resiliency testing
- ICT third-party risk
- Information and intelligence sharing
Risk Management
Contained within DORA’s ICT Risk Management requirements are specific conditions an organization must have in place:
- Organization-wide governance and oversight mechanisms ICT Risk Management Framework.
- Resilient ICT systems protocols and tools equipped to deal with at-capacity demands.
- A comprehensive risk management lifecycle with extensive controls in place for each phase (identification, protection and prevention, detection and response and recovery).
- Tried and tested Backup Policies and recovery methods.
- A process for integrating learning and evolving across the organization to weave this within the cultural DNA of the organization.
- Clear communications plans, concerning internal and external stakeholders, as well as the public.
Incident Reporting
To ensure the appropriate protocols are in place when an incident occurs DORA outlines that specific requirements must be met in relation to ICT-related incident management, classification, and reporting. Please note specific organizations may have additional responsibilities with respect to incident reporting, however broadly, such requirements include:
- An in-place and comprehensive ICT incident management process.
- A classification system that can account for criticality, loss, duration, number of affected and, geographical spread of an incident or cyber threat.
- A process to report a major ICT-related incident, as well as a process to also voluntarily report any cyber threats determined to be significant.
Please note the ESA is likely to release further information pertaining to these specific requirements at some point in the first half of 2024. This new information may include frameworks or standardized templates to guide these relationships in a streamlined and compliant manner.
Digital Operational Resiliency Testing
Digital resilience is at the core of DORA. As such, some organizations may have additional requirements imposed on them that specify the following:
- ICT Tools and Systems must be tested at least yearly.
- Any testing must follow a risk-based approach as well as the Risk Management protocols outlined above.
- Any testing must take into consideration the evolving landscape of ICT risk and the criticality of the organization’s information and systems.
- Certain organizations must institute a Threat-Led Penetration Testing program in accordance with the requirements outlined in DORA.
ICT Third-Party Risk
To safeguard against supply chain risk, DORA has introduced a series of measures designed to increase compliance and collaboration between organizations and their third-party ICT suppliers. Such measures include:
- The completion of a preliminary third-party risk assessment prior to onboarding to ensure the third party is suitable for the organizations needs and future development.
- The establishment of contractual arrangements and service level agreements (SLAs) that include the detailed key provisions as outlined in DORA.
- The maintenance of an up-to-date register, which contains the type of arrangement, the criticality of the service or function utilized, and all other relevant information.
- That appropriate termination clauses are included within contractual arrangements to ensure organizations can act accordingly in the event of a data breach.
- Contractual arrangements to ensure that data is appropriately stored and transferred toward the end of the contractual period or in the event of disruption to business as usual.
- The ability to evidence how contractual arrangements are governed to the appropriate regulatory body upon request.
Please note the ESA is like to release further information pertaining to these specific requirements during the first half of 2024. The release of this information may include frameworks or standardized templates to guide these relationships in a streamlined and compliant manner.
Information and Intelligence Sharing
To further enhance cross-sector collaboration, DORA will introduce an information-sharing arrangement to enable the fintech industry to respond jointly to potential cyber threats. In doing so, DORA outlines that these arrangements must:
- Aim to enhance digital resiliency by sharing tools, techniques, and capabilities.
- Take place within trusted financial entity communities.
- Be implemented in a manner that protects potentially sensitive information and is in line GDPR.
- If applicable and relevant, involve ICT third-party service providers and public authorities.
- Be disclosed to appropriate authorities, at the beginning and end of membership, to ensure that participation in information sharing networks can be properly verified and vetted.
Key Takeaways from These Requirements
Whilst all these requirements may seem extensive, they are not dissimilar to the controls imposed by other internationally recognized standards such as the NIST CSF and ISO27001:2022. As such analyzing DORA requirements alongside your Statement of Applicability or Control Library may give you a good understanding of your organization’s current stance against DORA.
Moreover, it is worth highlighting that many large institutions, such as banks, are likely to already have a great number of these requirements are already in place. As such, it is likely the burden to implement DORA will fall on smaller entities. Despite this, analyzing the scope of DORA, as well as the principle of proportionality and definitions, contained within the regulation may provide some relief due to certain exemptions for smaller organizations.
DORA Non-Compliance Penalties
As an EU regulation, non-compliance with DORA enables member states to impose sanctions and fines for breaching the regulation. It is to be noted that the severity of the penalty, as with any punishment, will differ based on the nature, degree of the infringement, and the jurisdiction in which it took place. Consequently, it is therefore imperative that the organization begin complying with DORA early to ensure compliance and prevent penalties.
Trustwave Consulting and Professional Services
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.